Cybersecurity news

• Kaspersky linked with medium confidence the Maui ransomware operation to the North Korea-backed APT group Andariel, which is considered a division of the Lazarus APT Group. North Korean nation-state actors used Maui ransomware to encrypt servers providing healthcare services, including electronic health records services, diagnostics services, imaging services, and intranet services.
• The young hacker based in Verona, Italy recently uploaded multiple malicious Python packages containing ransomware scripts to the Python Package Index (PyPI), supposedly as an experiment. According to the researchers at Sonatype who spotted the malicious code on PyPI, one of the packages (requesys) was downloaded about 258 times.
• A group of researchers has revealed details of a new vulnerability affecting Intel CPUs that enables attackers to obtain encryption keys and other secret information from the processors.

Cybersecurity news

• The Cybersecurity and Infrastructure Security Agency has added the Zimbra CVE-2022-27824 flaw to its ‘Known Exploited Vulnerabilities Catalog,’ indicating that it is actively exploited in attacks by hackers. This high-severity vulnerability allows an unauthenticated attacker to steal email account credentials in cleartext form from Zimbra Collaboration instances without user interaction.
• Researchers at Trellix have discovered a critical unauthenticated remote code execution vulnerability impacting 29 models of the DrayTek Vigor series of business routers. The attacker does not need credentials or user interaction to exploit the vulnerability, with the default device configuration making the attack viable via the internet and LAN.
• Security researchers have discovered a new vulnerability called ParseThru affecting Golang-based applications that could be abused to gain unauthorized access to cloud-based applications.

Cybersecurity news

• A threat actor is promoting a new version of their free-to-use ‘Redeemer’ ransomware builder on hacker forums, offering unskilled threat actors an easy entry to the world of encryption-backed extortion attacks. The author states that the new 2.0 release was written entirely in C++. It works on Windows Vista, 7,8,10, and 11, featuring multi-threaded performance and a medium AV detection rate.
• A cryptomining gang known as 8220 Gang has been exploiting Linux and cloud app vulnerabilities to grow their botnet to more than 30,000 infected hosts. The group is a low-skilled, financially-motivated actor that infects AWS, Azure, GCP, Alitun, and QCloud hosts after targeting publicly available systems running vulnerable versions of Docker, Redis, Confluence, and Apache.
• Atlassian has patched a critical hardcoded credentials vulnerability in Confluence Server and Data Center that could let remote, unauthenticated attackers log into vulnerable, unpatched servers.

Cybersecurity news

• Security researchers are warning that hackers can abuse online programming learning platforms to remotely launch cyberattacks, steal data, and scan for vulnerable devices, simply by using a web browser.
• A newly discovered Linux malware is being used to stealthily steal information from backdoored Linux systems and infect all running processes on the machine. Dubbed OrBit by Intezer Labs security researchers who first spotted it, this malware hijacks shared libraries to intercept function calls by modifying the LD_PRELOAD environment variable on compromised devices.
• The developer of the AstraLocker ransomware code is reportedly ceasing operations and turning attention to the far simpler art and crime of cryptojacking.

Cybersecurity news

• The extortionate software ech0raix has started attacking vulnerable NAS QNAP network drives again. In order to protect devices from attacks, users are advised to use strong passwords for administrator accounts, enable IP access protection and avoid using default ports 443 and 8080.
• The operators behind BRATA have once again added more capabilities to the Android mobile malware in an attempt to make their attacks against financial apps more stealthy.
• A researcher has created a website that uses your installed Google Chrome extensions to generate a fingerprint of your device that can be used to track you online. It is then possible to track a device across sites using the same fingerprinting method.
• Cisco advises owners of end-of-life Small Business RV routers to upgrade to newer models after disclosing a remote code execution vulnerability that will not be patched.

Approaches to threat data exchange are currently in an active phase of formation and standardization. Today there are a couple of significant standards, namely, MISP and STIX,  and entire assemblage of less significant ones that are less commonly used or considered deprecated,  such as MAEC, IODEF, OpenIOC (Cybox), CAPEC, VERIS and many others. At that, a decent number of community feeds are still distributed in the txt or csv formats, as well as in the form of human-readable analytical summaries, bulletins, and reports.

This article deals with analysis of the generally accepted practices of data exchange about cyber threats, namely, specialized formats and general-purpose standards designed not only for threat intelligence (TI). At that, purely proprietary, rare and “reinvent-the-wheel” formats, as well as thematic blogs, news portals, messenger communities, and other TI sources in human-readable formats are left out of the scope of the present article. Today the focus is on machine-readable formats.

Cybersecurity news

• A newly discovered Linux malware known as Symbiote infects all running processes on compromised systems, steals account credentials, and gives its operators backdoor access.
• Surfshark announced they are shutting down its VPN services in India in response to the new requirements in the country that demand all providers to keep customer logs for 180 days.
• Several US federal agencies today revealed that Chinese-backed threat actors have targeted and compromised major telecommunications companies and network service providers to steal credentials and harvest data.
• A critical Windows zero-day vulnerability, known as Follina and still waiting for an official fix from Microsoft, is now being actively exploited in ongoing phishing attacks to infect recipients with Qbot malware.
• Check Point Research’s cybersecurity experts discovered

Consultants from Defensys’s Center of expertise along with our partners are ready to map the current correlation rules of SIEMs and other security tools of our customers with MITRE tags so that the incident registered in SOAR will already contain all the needed data.

“It’s been almost a year and a half since we started this practise with one of our Telecom customers. At the moment we’ve got all SOAR implementation projects where this mapping exists. This way you can ease the process of incidents classification, adopt proper playbooks, draw metrics with statistics. And of course you can speak the same language with the community when it comes to discuss some interesting or critical cases.” – says Andrey Chechetkin, Deputy CEO of Defensys.

We’d like to remind you that after the implementation of the Defensys SOAR in the incident card a customer is able to see:

The Defensys company issued the fifth version of its SOAR platform which is core solution for building Security Operations Centers (SOC) of different scales. SOAR v 5.0 got a lot of new features. In particular there appeared a native part in the incident card for working with IoCs which come from security alerts and Threat Intelligence platforms. User experience in operating with playbooks updated significantly as well. Besides the overall interface of the system got serious enhancements.

Important changes are ready to be used in the core functional block of incident management. The version 5.0 of Defensys SOAR gives you the opportunity to work with groups of incidents and it helps users conveniently handle cases when several incidents are related between each other. You can simply customize policies for auto filling field values inside this group of incidents. For example the parent incident status could be just inherited in included incidents or the total amount of damage will be automatically placed into the dedicated field in the parent incident. One more important feature is the part of incident card specially tailored to work with IoCs in the most convenient way and of course all the results of operating with IoCs are distributed into the variety of dashboards.

Challenge

With 5 independent regional SOCs connected to the main SOC in HQ the Company’s cybersecurity staff had to register incidents in service desk, that wasn’t connected to an IT SD but all the other data needed for the investigation was manually collected from multiple sources: security tools, data lakes, billing systems. Also, it was quite difficult to quickly find properties of the technical equipment involved in the cyber incident. Threat Intelligence data was processed semi-automatically without any connections to other systems.

Defensys products

After a comprehensive procedure of comparing different technologies for building the next version of SOC the Company have chosen Defensys as a leader in automating cybersecurity processes. The decision was to use SOAR and TIP to enhance capabilities of an existing SOC with a lot of systems not connected with each other.

Results

All the incidents from different security tools along with customers’ enquiries are processed in one system that helps to use the same investigation frameworks for different teams that is important when it comes to collect performance metrics. These incidents are automatically registered based on the MITRE ATT&CK framework so the whole team operates with the same terms when working during the response process.