Cisco Talos assesses with high confidence that YoroTrooper, an espionage-focused threat actor first active in June 2022, likely consists of individuals from Kazakhstan based on their use of Kazakh currency and fluency in Kazakh and Russian.

Kazakhstan-associated YoroTrooper disguises origin of attacks as Azerbaijan

The popularity of Brazil's PIX instant payment system has made it a lucrative target for threat actors looking to generate illicit profits using a new malware called GoPIX.
Kaspersky, which has been tracking the active campaign since December 2022, said the attacks are pulled off using malicious ads that are served when potential victims search for "WhatsApp web" on search engines.
"The

The popularity of Brazil's PIX instant payment system has made it a lucrative target for threat actors looking to generate illicit profits using a new malware called **GoPIX**.

Kaspersky, which has been tracking the active campaign since December 2022, said the attacks are pulled off using malicious ads that are served when potential victims search for "WhatsApp web" on search engines.

"The cybercriminals employ malvertising: their links are placed in the ad section of the search results, so the user sees them first," the Russian cybersecurity vendor said. "If they click such a link, a redirection follows, with the user ending up on the malware landing page."

As other malvertising campaigns observed recently, users who click on the ad will be redirected via a cloaking service that is meant to filter sandboxes, bots, and others not deemed to be genuine victims.

This is accomplished by using a legitimate fraud prevention solution known as IPQualityScore to determine if the site visitor is a human or a bot. Users who pass the check are displayed a fake WhatsApp download page to trick them into downloading a malicious installer.

In an interesting twist, the malware can be downloaded from two different URLs depending on whether port 27275 is open on the user's machine.

"This port is used by the Avast safe banking software," Kaspersky explained. "If this software is detected, a ZIP file is downloaded that contains an LNK file embedding an obfuscated PowerShell script that downloads the next stage."

Should the port be closed, the NSIS installer package is directly downloaded. This indicates that the additional guardrail is set up explicitly to bypass the security software and deliver the malware.

The main purpose of the installer is to retrieve and launch the GoPIX malware using a technique called process hollowing by starting the svchost.exe Windows system process in a suspended state and injecting the payload into it.

GoPIX functions as a clipboard stealer malware that hijacks PIX payment requests and replaces them with an attacker-controlled PIX string, which is retrieved from a command-and-control (C2) server.

"The malware also supports substituting Bitcoin and Ethereum wallet addresses," Kaspersky said. "However, these are hardcoded in the malware and not retrieved from the C2. GoPIX can also receive C2 commands, but these are only related to removing the malware from the machine."

This is not the only campaign to target users searching for messaging apps like WhatsApp and Telegram on search engines.

In a new set of attacks concentrated in the Hong Kong region, bogus ads on Google search results have been found to redirect users to fraudulent lookalike pages that urge users to scan a QR code to link their devices.

"The issue here is that the QR code you are scanning is from a malicious site that has nothing to do with WhatsApp," Jérôme Segura, director of threat intelligence at Malwarebytes, said in a Tuesday report.

As a result, the threat actor's device gets linked to the victim's WhatsApp accounts, granting the malicious party complete access to their chat histories and saved contacts.

Malwarebytes said it also discovered a similar campaign that uses Telegram as a lure to entice users into downloading a counterfeit installer from a Google Docs page that contains injector malware.

The development comes as Proofpoint revealed that a new version of the Brazilian banking trojan dubbed Grandoreiro is targeting victims in Mexico and Spain, describing the activity as "unusual in frequency and volume."

The enterprise security firm has attributed the campaign to a threat actor it tracks as TA2725, which is known for using Brazilian banking malware and phishing to single out various entities in Brazil and Mexico.

The targeting of Spain points to an emerging trend wherein Latin American-focused malware are increasingly setting their sights on Europe. Earlier this May, SentinelOne uncovered a long-running campaign undertaken by a Brazilian threat actor to target over 30 Portuguese banks with stealer malware.

Meanwhile, information stealers are flourishing in the cybercrime economy, with crimeware authors flooding the underground market with malware-as-a-service (MaaS) offerings that provide cybercriminals with a convenient and cost-effective means to conduct attacks.

What's more, such tools lower the entry barrier for aspiring threat actors who may lack technical expertise themselves.

The latest to join the stealer ecosystem is Lumar, which was first advertised by a user named Collector on cybercrime forums, marketing its capabilities to capture Telegram sessions, harvest browser cookies and passwords, retrieve files, and extract data from crypto wallets.

"Despite having all these functionalities, the malware is relatively small in terms of size (only 50 KB), which is partly due to the fact that it is written in C," Kaspersky noted.

"The emerging malware is often advertised on the dark web among less skilled criminals, and distributed as MaaS, allowing its authors to grow rich quickly and endangering legitimate organizations again and again."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Malvertising Campaign Targets Brazil's PIX Payment System with GoPIX Malware

Emerging RaaS operation uses Rhysida ransomware paired with a wicked infostealer called Lumar, researchers warn.

Operating since last May, an emerging ransomware strain called Rhysida was deployed along with new stealer malware called Lumar for a potent new one-two punch against Brazil's popular PIX payment system users.

Researchers from Kaspersky reported Rhysida is functioning as a ransomware-as-a-service (RaaS) operation with a demonstrated ability to quickly evolve.

"It stands out for its unique self-deletion mechanism and compatibility with pre-Windows 10 versions of Microsoft. Written in C++ and compiled with MinGW and shared libraries, Rhysida showcases sophistication in its design," Kaspersky said in its findings about the group. "While relatively new, Rhysida faced initial configuration challenges with its onion server, revealing a group's rapid adaptation and learning curve."

The ransomware campaign targeting PIX has been ongoing since December 2022, the Kaspersky team noted, adding that Rhysida was deployed along with a complimentary malware-as-a-service (MaaS) infostealer called Lumar to target users of the payment system.

Lumar first emerged in July 2023, the report added, and can steal data on Telegram sessions, passwords, cookies, autofill information, desktop files, and even cryptographic wallets.

Notably, the Kaspersky team said the Lumar stealer is compact, without sacrificing functionality.

"The malware's efficient data collection is facilitated by the use of three separate threads," the report added. "The C2, hosted by the malware author as a Malware as a Service (MaaS), provides user-friendly features such as statistics and data logs. Users can download the latest version of Lumar and receive Telegram notifications for incoming data."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Meet Rhysida, a New Ransomware Strain That Deletes Itself

By Deeba Ahmed
The critical API security flaws in the social sign-in and OAuth (Open Authentication) implementations affected high-profile companies like…
This is a post from HackRead.com Read the original post: Social Login Flaws in Popular Websites Risked Billions of User Accounts

The critical API security flaws in the social sign-in and OAuth (Open Authentication) implementations affected high-profile companies like Vidio, Grammarly, and Bukalapak.

*   **Salt Security’s Salt Labs research team has identified vulnerabilities in the social login implementations of three popular websites.**

*   **These vulnerabilities can expose over a billion user accounts to account hijacking and data leakage, given that social login is a standard feature found in almost all major and non-major websites.**

*   **Eighty percent of the targets Salt Labs’ investigated contained security flaws concerning social login features.**

*   **Researchers have revealed a small set of impacted targets.** 

*   **This discovery highlights the risks associated with social login functionality.**

The leading API security firm, Salt Security’s Salt Labs research team, has identified critical **API security flaws** in the social sign-in and the OAuth (Open Authentication) implementations of several high-profile online firms, including Vidio, Grammarly, and Bukalapak.

Investigation revealed that through Pass-The-Token Attack, a threat actor could exploit the vulnerabilities, gaining unauthorized access to a user’s accounts on dozens of websites and access their credit cards, bank accounts, and other sensitive data.

This research marks the third and final installment in the team’s OAuth hijacking series. Previously, Salt Labs researchers had identified vulnerabilities in **Expo** and **Booking.com**.

For your information, OAuth is a widely used authentication method. Many websites and web services use it to enable the user-friendly one-click login process. Moreover, through OAuth implementation, users can log in to their social media accounts, such as Facebook or Google, to register on a website instead of creating a new login ID and password.

The vulnerabilities were detected in the social sign-in process’ access token verification step. It is a crucial component of the OAuth implementation on websites. The issue occurred due to improper token verification in the process, allowing adversaries to obtain unauthorized access. 

In a **blog post**, Salt Labs Security Researcher Aviad Carmel wrote that their research team could exploit this flaw through the Pass-The-Token Attack, which involves inserting a token from another website to gain access to user accounts.

****Vulnerability Impact on Vidio.com****

On the Vidio website, researchers discovered the vulnerabilities while logging in through Facebook. The website (Vidio.com) didn’t verify the token or OAuth itself, which is a glaring flaw, allowing manipulation of the API calls to insert an access token created for another application. This alternate token-AppID combination allowed researchers to impersonate a user on the website and get the opportunity to take over thousands of accounts.

****Vulnerability Impact on Bukalapak.com****

One of Indonesia’s largest eCommerce platforms, Bukalapak’s website, also failed to verify the access token when users registered with a social login. Salt Labs team inserted a token from another website and was able to access a user’s credentials from the website, obtaining full control of the account.

It is worth noting that **in May 2020,** a hacker was discovered selling user data belonging to 13 million Bukalapak user accounts.

****Vulnerability Impact on Grammarly****

The researchers observed the AI-powered writing tool Grammarly.com website to learn the site’s code-sending terminology. Afterward, they could manipulate the API exchange to insert code used to verify users on a different website and successfully obtained user account credentials and performed account takeover.

Following the coordinated disclosure practice, Salt Labs researchers notified all three sites, and the issues have now been addressed. They believe the vulnerabilities could have impacted at least a billion accounts associated with the three affected sites.

The flaws although have been addressed but could have exposed sensitive login details and allowed adversaries to launch versatile range of attacks. This is a shocking discovery because thousands of websites use social sign-in functionality and billions of users worldwide could be at risk of threats like identity theft and financial fraud. 

> _Social Login is a very common feature that is implemented on almost every major (and non-major) web service. Around 80% of our targets included some kind of security issue related to social login functionality. The impact is that we were successfully able to take **over more than 1 billion accounts** across all the targets, which includes the ones identified in this research plus many others._
> 
> Yaniv Balmas – VP of Research at Salt Security

****Dicussion at SecTor****

Aviad Carmel and Yaniv Balmas of Salt Security will be hosting a **speaking session** titled: Uh-OAuth! – Breaking (and Fixing) OAuth Implementations” – Wednesday, October 25, 4:00-5:00pm, Meeting Room 718A.

For your information, SecTor is a Black Hat conference that focuses on underground threats and corporate defenses. It is held annually in Toronto, Canada. The conference is known for its high-quality speakers and attendees, and it is a must-attend event for anyone interested in the latest information on security threats and defenses. SecTor 2023 will be held October 23-26, 2023 at the Metro Toronto Convention Centre.

****_RELATED ARTICLES_****

1.  12-Year-Old Windows Defender flaw risked 1 billion devices
2.  Cybersecurity firm exposes 5 billion data breach records online
3.  DreamHost hosting firm exposed almost a billion sensitive records
4.  Credential Stealing Flaw in Google Chrome Impacted 2.5 Billion Users
5.  Online trading broker FBS exposes 20TB of data with 16 billion records
6.  Brazilian marketplace integrator Hariexpress exposed 1.75 billion records

Social Login Flaws in Popular Websites Risked Billions of User Accounts

By Waqas
This incident is a perfect example of the phrase "one thing leading to another.
This is a post from HackRead.com Read the original post: 1Password Discloses Security Incident Linked to Okta Breach

On October 23, 2023, 1Password’s CTO, Pedro Canahuati, disclosed the incident, stating that threat actors were unable to access or steal user data during the attack.

On October 24, 2023, 1Password disclosed (PDF) a security incident that was linked to the recent breach of Okta’s support system. The incident occurred when a threat actor gained access to an IT employee’s Okta session token by leveraging access to a stolen credential and used it to access 1Password’s Okta administrative portal.

While 1Password says that no user data was accessed during the incident, the incident highlights the importance of strong security practices for both Okta customers and password managers.

The latest security breach at Okta serves as the second cyberattack on the company. In March 2022, LAPSUS$ hackers claimed to have breached Okta and Microsoft after leaking a trove of their data on Telegram.

****How the Okta Breach Impacted 1Password****

Okta is a popular identity and access management (IAM) platform that helps organizations manage user access to their applications. On October 20, 2023, Okta disclosed that threat actors had gained access to its support systems and stolen authentication data for some of its customers.

1Password is one of the customers that was impacted by the Okta breach. On September 29, 1Password detected suspicious activity on its Okta instance. After a thorough investigation, 1Password concluded that a threat actor had used a stolen session token to access 1Password’s Okta administrative portal

> _“Based on our initial assessment, we have no evidence that proves the actor accessed any systems outside of Okta. The activity that we saw suggested they conducted initial reconnaissance with the intent to remain undetected for the purpose of gathering information for a more sophisticated attack.”_
> 
> Pedro Canahuati – CTO 1Password’s

****What 1Password Is Doing to Mitigate the Impact of the Incident****

1Password has taken a number of steps to mitigate the impact of the incident, including:

*   Launching an investigation into the incident.
*   Terminating the threat actor’s session immediately.
*   Implementing stricter access controls for Okta users.

****What 1Password Users Can Do to Protect Their Accounts****

1Password users can take the following steps to protect their accounts:

*   Keep their 1Password app up to date.
*   Change their 1Password password regularly.
*   Use a strong, unique password for their 1Password account.
*   Enable two-factor authentication for their 1Password account.
*   Be careful about clicking on links in emails or messages from unknown senders.

****What This Incident Means for IAM and Password Management Security****

The 1Password incident highlights the importance of strong security practices for both IAM and password management platforms. IAM platforms like Okta need to implement robust security controls to protect their customers’ data. All Password managers need to implement multi-factor authentication and other security measures to protect their users’ passwords.

Organizations that use Okta or other IAM platforms should review their security policies and procedures to ensure that they are taking all necessary precautions to protect their data. Organizations that use password managers should also review their security settings and enable multi-factor authentication for all users.

****_RELATED ARTICLES_****

1.  GoTo’s LastPass Breach: Encrypted Customer Data Taken
2.  Fake Bitwarden Password Manager Website Drops Windows ZenRAT
3.  PasswordState password manager’s update hijacked to drop malware
4.  LastPass Employee PC Hacked with Keylogger to Access Password Vault
5.  Passwords by Kaspersky Password Manager exposed to brute-force attack

1Password Discloses Security Incident Linked to Okta Breach

We observed the BlackByte ransomware group’s new variant, BlackByte NT, for the first time in addition to the previously seen LockBit ransomware, which continues to be the top observed ransomware family in Talos IR engagements.

Tuesday, October 24, 2023 08:10

**Quarterly threat report: Telecommunications and education are most-targeted verticals**

There was a notable increase in threats to web applications, accounting for 30 percent of the engagements Cisco Talos Incident Response (Talos IR) responded to in the third quarter of 2023, compared to 8 percent the previous quarter. Exploitation of public-facing applications was the top observed means of gaining initial access, accounting for 30 percent of engagements. The high number of web application attacks likely played a significant role in the increase this quarter.  

However, ever-present ransomware continues to be a threat, accounting for 10 percent of engagements. This quarter, which covers July, August and September, featured the LockBit and BlackByte ransomware families, which Talos IR has observed in previous quarters. But for the very first time, Talos IR observed a new variant of BlackByte ransomware, BlackByte NT. 

 Telecommunications and education were the most targeted verticals, each accounting for 20 percent of engagements. Threat actors and groups with varying motives and sophistication frequently targeted telecommunications organizations, continuing a trend where it was consistently a top-targeted industry vertical in 2022, according to Talos IR.  

Telecommunications companies are attractive targets due to their control over several critical infrastructure assets, serving as a gateway for adversaries to access other businesses, subscribers, or third-party providers. These organizations also have a large amount of customer data that is often targeted by financially motivated cybercriminals such as ransomware groups.   

Educational institutions are continuously targeted by cybercriminals due to vast amounts of personally identifiable student data, including financial and counseling records, as well as research institutes rich in intellectual property. Many education organizations have limited budgets devoted to cybersecurity, hampering defenses.      

**Web application targeting on the rise **

Attacks against web applications — and subsequent post-compromise activity — were the top-observed threat in Q3, accounting for 30 percent of engagements, a significant increase compared to the previous quarter. After gaining initial access, adversaries leveraged techniques such as launching web injection attacks, deploying web shells, and using commercial off-the-shelf frameworks such as Supershell, which deploys web shells to maintain access to a system. Talos IR is seeing a growing trend of adversaries leveraging advanced functionalities of various command and control (C2) frameworks, such as the newly observed Supershell C2 framework, to identify weaknesses in web servers and deploy web shells more easily. 

Supershell is a web-based management platform that allows attackers to remotely execute commands, manage compromised systems, and collaborate with multiple users. Before downloading Supershell, the attackers placed malicious XML inputs containing a reference to an external entity using XML external entity (XXE) injection attacks in hopes the web server had a misconfigured XML parser. Based on our analysis, Supershell appears to be designed for predominantly Chinese-speaking individuals as the tool is written for a Chinese-only web interface console. There is also a clear preference for Chinese in Supershell’s GitHub documentation, although an English-translated option exists.  

Although the development of recent frameworks that make the deployment of web shells easier benefits sophisticated adversaries, these frameworks may also reduce the barrier for entry for less sophisticated attackers. Given the growing trend of commercial off-the-shelf C2 frameworks within the last year, including Alchimist and Manjusaka, it is likely this trend will continue to play out as adversaries increasingly turn to adopt additional capabilities for performing web-based attacks. 

Web shells are malicious scripts that enable threat actors to compromise web-based servers exposed to the internet. Talos IR responded to an engagement where attackers uploaded several PHP web shells to an unpatched web server, demonstrating how threat actors commonly chain together web shells to build a more flexible toolkit. Within this cluster of activity, the attackers could not further carry out any post-compromise objectives due to the presence of a Web Application Firewall (WAF), highlighting the importance of implementing a WAF between public-facing servers and the Internet to help defend against these attacks.   

In several engagements this quarter, we observed adversaries leveraging Structured Query Language injection (SQLi) attacks, a technique in which adversaries enter SQL commands into an input field that does not use validation and sanitization. We increasingly see adversaries continue to use scanning frameworks to launch SQLi attacks. In one cluster of activity, Talos IR identified multiple SQLi attempts and more than 1,000 instances of SQLMap, an open-source utility often used to identify and exploit SQLi vulnerabilities. Adversaries also used a SQL injection module within Nessus, a proprietary vulnerability scanner, highlighting the threat actor’s intent on identifying SQLi vulnerabilities for expanded access.  

**Ransomware remains a threat **

Ransomware activity continued this quarter accounting for 10 percent of total IR engagements in Q3. We observed the BlackByte ransomware group’s new variant, BlackByte NT, for the first time in addition to the previously seen LockBit ransomware, which continues to be the top observed ransomware family in Talos IR engagements. 

LockBit was one of the most prevalent variants seen in Talos IR engagements since September 2022, consistent with a wide body of reporting calling LockBit one of the most active ransomware threats this year.  

Talos IR responded to a LockBit ransomware attack where the adversaries gained an initial foothold into the environment by compromising a valid contractor account. Once inside, attackers began dumping credentials from internal systems and were able to create an administrator account to elevate privileges and remain persistent in the environment. To evade detection, the attackers cleared the Windows event logs and disabled several security tools, including endpoint detection and response (EDR) and antivirus. LockBit established C2 channels via multiple methods, including the adversary simulation tool Cobalt Strike and the legitimate remote access software AnyDesk. The attackers modified domain policies to create a scheduled task that eventually executed the LockBit ransomware binary.  

Talos IR has previously observed BlackByte ransomware, but this quarter was the first time seeing the new variant, BlackByte NT. Unlike the former variants, this new variant (aka BlackByte 2.0) is written entirely in C++ and was discovered in May 2023. 

Talos IR observed the new BlackByte NT ransomware variant where the attackers initially compromised a valid account to gain access. Several accounts with administrator privileges were created in this engagement as well, showing ransomware actors’ reliance on account creation to escalate privileges and enable persistence. Attackers then used a combination of RDP, SSH, and Server Message Block (SMB) for lateral movement. Using the open-source Secure File Transfer Protocol (SFTP) tool WinSCP, adversaries exfiltrated data from the environment. Before encryption, the attackers cleared the Windows event logs to cover their tracks and deleted the shadow volume copies to inhibit system recovery, consistent with ransomware TTPs. Ransomware was propagated across the environment via SMB admin shares, a common distribution method also observed in ransomware attacks.   

**New ShroudedSnooper actor observed using custom backdoors **

This quarter also featured a new advanced persistent threat (APT) ShroudedSnooper targeting telecommunications firms in the Middle East. This activity is a continuation of a trend we have been monitoring over the past several years in which sophisticated actors are frequently targeting telecommunications organizations, a top-targeted industry vertical this quarter and throughout 2022, according to Talos IR. As part of this activity, ShroudedSnooper deployed two novel backdoor implants we dubbed “HTTPSnoop” and “PipeSnoop.” 

These backdoors interface with Windows HTTP kernel drivers and devices to listen to incoming requests for specific HTTP(S) URLs and execute that content on the infected endpoint. Talos IR observed DLL- and EXE-based versions of the implants that masquerade as legitimate security software components, and specifically extended detection and response (XDR) agents, making detection challenging.  

**Initial vectors **

Exploitation of public-facing applications was the top observed means of gaining initial access, accounting for 30 percent of engagements. The high number of web application attacks likely played a significant role in the increase this quarter.   

**Security weaknesses **

Unpatched or misconfigured applications and a lack of multi-factor authentication (MFA) were tied to the top security weaknesses, each accounting for 40 percent of engagements. This activity aligns with the top two initial access vectors used by adversaries this quarter, including exploiting public-facing applications and abusing valid accounts. Talos IR frequently observes attacks that could have been prevented if MFA was enabled on critical services, such as RDP. Talos IR recommends expanding MFA for all user accounts, such as employee, contractor and business partner accounts.   

Staying up-to-date with software updates on public-facing applications is a crucial aspect of an organization’s security posture. Attackers often exploit vulnerabilities to achieve post-compromise objectives, such as privilege escalation. While vulnerability and patch management are critical, it is not always possible to immediately apply every security patch due to the complexity of enterprise networks. Talos IR recommends prioritizing critical vulnerabilities that pose the biggest threats to preventing exploitation.   

Misconfigurations can also leave organizations exposed regardless of an adversary’s intention. Talos IR frequently sees actors compromising systems that were misconfigured to be exposed publicly. Attackers often take the path of least resistance by leveraging vulnerabilities and exposures, highlighting that organizations need to be proactive in ensuring both systems and tools are configured properly.    

**Top observed MITRE ATT&CK techniques **

The table below represents the MITRE ATT&CK techniques observed in this quarter’s IR engagements, which includes relevant examples and the volume Talos IR saw in engagements. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note this is not an exhaustive list. 

Key findings from the MITRE ATT&CK framework include: 

*   Exploitation of public-facing applications was the top observed means of gaining initial access this quarter, accounting for 30 percent of total engagements.  
*   Attackers abused remote services, such as RDP, to move laterally in 25 percent of engagements. 
*   AnyDesk was observed in all ransomware and pre-ransomware engagements this quarter, underscoring its role in ransomware affiliates' attack chains.   
*   Indicator removal, such as clearing Windows event logs and file deletion, was the top defense evasion technique observed.   
*   In 25 percent of engagements this quarter, Talos IR observed attackers abusing scheduled tasks for continuous execution of malicious code to maintain persistence on an endpoint.    

Initial Access (TA0001)  

Example  

T1190 Exploit in Public-Facing Application  

Attackers successfully exploited a vulnerable application that was publicly exposed to the Internet    

Execution (TA0002)  

Example  

T1059.001 Command and Scripting Interpreter: PowerShell  

Executes PowerShell code to retrieve information about the client’s Active Directory environment  

Persistence (TA0003)  

Example  

T1053.005 Scheduled Task / Job: Scheduled Task  

Scheduled tasks were created on a compromised server  

Defense Evasion (TA0005)  

Example  

T1134.002 Access Token Manipulation: Create Process with Token  

Attackers created a new process using the command “run as”  

Credential Access (TA0006)  

Example  

T1003.001 OS Credential Dumping: LSASS Memory  

Use “lsass.exe” for stealing password hashes from memory  

Lateral Movement (TA0008)  

Example  

T1021.001 Remote Services: Remote Desktop Protocol  

Adversary made attempts to move laterally using Windows Remote Desktop   

Command and Control (TA0011)  

Example  

T1219 Remote Access Software  

Remote access tools found on the compromised system    

Exfiltration (TA0010)  

Example  

T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol  

Using FTP for file exfiltration  

Impact (TA0040)  

Example  

T1486 Data Encrypted for Impact  

Deploy LockBit ransomware and encrypt critical systems

Attacks on web applications spike in third quarter, new Talos IR data shows

IBM Security Verify Governance 10.0 does not encrypt sensitive or critical information before storage or transmission.  IBM X-Force ID:  256020.

CVE-2023-33837: Security Bulletin: IBM Security Verify Governance is affected by multiple vulnerabilities

Zscaler Client Connector Installer on Windows before version 3.4.0.124 improperly handled directory junctions during uninstallation. A local adversary may be able to delete folders in an elevated context.







CVE-2021-26734

An authentication bypass by spoofing of a device with a synthetic IP address is possible in Zscaler Client Connector on Windows, allowing a functionality bypass. This issue affects Client Connector: before 3.9.



CVE-2023-28803

Zscaler Client Connector for Windows before 4.1 writes/deletes a configuration file inside specific folders on the disk. A malicious user can replace the folder and execute code as a privileged user.





Tag

#windows