🕴 DoD Travel System Breach Exposed Data of 30K Civilian, Military Employees 🕴

Defense Dept. says contractor that handles travel management services was hacked.

📖 Read

via "Dark Reading: ".

🕴 3 Out of 4 Employees Pose a Security Risk 🕴

New MediaPRO study also finds that management performed worse than entry- and mid-level employees in how to handle a suspected phishing email.

📖 Read

via "Dark Reading: ".

🔐 Why 75% of your employees could end up costing you millions 🔐

Three-quarters of employees show an inability to prevent even basic cybersecurity incidents, according to a new report from MediaPro.

📖 Read

via "Security on TechRepublic".

🔐 Why 75% of your employees could end up costing you millions 🔐

Three-quarters of employees show an inability to prevent even basic cybersecurity incidents, according to a new report from MediaPro.

📖 Read

via "Security on TechRepublic".

🔐 How to limit access to the su command in Linux 🔐

Jack Wallen shows you a simple trick to heighten your Linux server security, by limiting Linux users' access to the su command.

📖 Read

via "Security on TechRepublic".

🔐 How to limit access to the su command in Linux 🔐

Jack Wallen shows you a simple trick to heighten your Linux server security, by limiting Linux users' access to the su command.

📖 Read

via "Security on TechRepublic".

🔐 Around 62 percent of all Internet sites will run an unsupported PHP version in 10 weeks 🔐

The highly popular PHP 5.x branch will stop receiving security updates at the end of the year.

📖 Read

via "Security on TechRepublic".

🔐 Cyberattacks are becoming more clever than ever, here's what to look for 🔐

Business faced far more attacks than consumers in Q3 2018, and the attackers are growing in creativity, according to Malwarebytes.

📖 Read

via "Security on TechRepublic".

🔐 Cyberattacks are becoming more clever than ever, here's what to look for 🔐

Business faced far more attacks than consumers in Q3 2018, and the attackers are growing in creativity, according to Malwarebytes.

📖 Read

via "Security on TechRepublic".

🔐 How to encrypt a USB flash drive with GNOME Disks 🔐

If you use Linux and need an easy method of encrypting data on your USB drives, GNOME Disks has you covered.

📖 Read

via "Security on TechRepublic".

❌ Up to 35 Million 2018 Voter Records For Sale on Hacking Forum ❌

Just weeks before the midterms, voter information from 19 states has turned up on the Dark Web.

📖 Read

via "The first stop for security news | Threatpost ".

❌ Up to 35 Million 2018 Voter Records For Sale on Hacking Forum ❌

Just weeks before the midterms, voter information from 19 states has turned up on the Dark Web.

📖 Read

via "The first stop for security news | Threatpost ".

🕴 Millions of Voter Records Found for Sale on the Dark Web 🕴

Voter registration databases from 19 US states are being hawked in an underground hacking forum, researchers say.

📖 Read

via "Dark Reading: ".

🕴 IBM Builds 'SOC on Wheels' to Drive Cybersecurity Training 🕴

A tractor trailer housing a Cyber Tactical Operation Center will travel throughout the US and Europe for incident response training, security support, and education.

📖 Read

via "Dark Reading: ".

🕴 6 Security Trends for 2018/2019 🕴

Speaking at the Gartner Symposium/ITxpo, analyst Peter Firstbrook's list of trends is likely to inform executive committee conversations for the next 12 months.

📖 Read

via "Dark Reading: ".

🕴 6 Security Trends for 2018/2019 🕴

Speaking at the Gartner Symposium/ITxpo, analyst Peter Firstbrook's list of trends is likely to inform executive committee conversations for the next 12 months.

📖 Read

via "Dark Reading: ".

🕴 6 Security Trends for 2018/2019 🕴

Speaking at the Gartner Symposium/ITxpo, analyst Peter Firstbrook's list of trends is likely to inform executive committee conversations for the next 12 months.

📖 Read

via "Dark Reading: ".

⚠ How to buy (and set up) a safe and secure baby monitor ⚠

Wi-Fi enabled or not? Digital or analog? Here are the features to look for, and how to secure your baby monitor out of the box.

📖 Read

via "Naked Security".

<b>&#10068; Deep analysis of AZORult – The information exfiltrator &#10068;</b>

<code>Estimated reading time: 5 minutesWhile the current focus in the cyberspace is on Ransomware and Cryptominers there are other prevalent threat actors silently making their way into victim’s machine in order to comprise it for malicious purpose. During the daily threat hunting task,Quick Heal Security labs came across a blocked URL by Quick Heal’s URL categorization cloud feature. Further analysis of the URL led us to a new variant of the “AZORult” infostealer malware. This  malware harvests and exfiltrates data from the victim’s machine to the CnC server. In this post, we will dissect  this malware and share interesting details about it. Below attack chain depicts the execution sequence observed for this malware. Fig 1. Attack Chain At the time of analysis, the initial attack vector was unknown but the attack chain was traced from malicious  URL. Quick Heal Security labs suspected the initial attack vector to be Phishing email. URL: cw57146.tmweb.ru/upload/neut[.]exe During static analysis, sample seems to have a lot of the Flare in it. The ‘neut.exe’ file is PE32 executable for MS Windows and compiled as P-code file of Microsoft Visual Basic. It has various encrypted strings and contains  large resource data of high entropy. Fig 2: Huge resource in CFF explorer Decompiled File has a function to disable DEP for the current process, it attempts to modify Explorer settings to prevent hidden files from being displayed and also loads huge resource in the memory. Fig 3: Decompiled File shows DEP policy and resource loading While traversing some more functions in the decompiled file. An obfuscated code was found which is passed to a function which de-obfuscates the data and forms a valid string. Fig. 4 Obfuscated Bytes After converting these hex values to ASCII, Code looks like it is base64 encoded. So after decoding it using  base64 algorithm following strings are found. C:\ProgramData\worm.exe Hxxp://cw57146.tmweb.ru/upload/neut[.]exe Next function traversed has XOR algorithm along with some more operation which is applied on whole resource data. Decryption routine is shown through below snippet. Fig 5. Xor algorithm used to decrypt resource code After implementing this logic on the resource code, one PE file is found. Decrypted PE file is Delphi windows file and we are going forward to analyze this file. Statically checking file various base64 encode strings are found which are shown in the below image. Fig 6. Base64 encoded strings Decoding above strings using base64 algorithm, below result is found. These strings are used to collect system  info like “UninstallDisplayName” & ”Uninstall” registry key is used to identify all the installed software in the  system. “CreateToolhelp32Snapshot” is used to list out all the running processes. Software\Microsoft\Windows\CurrentVersion\UninstallDisplayName Software\Microsoft\Windows\CurrentVersion\Uninstall\DisplayVersion HARDWARE\DESCRIPTION\System\CentralProcessor\0 CreateToolhelp32Snapshot Some unencrypted strings are also there. Below snapshot has some of those strings: Fig 7. Strings found in Resource File Now further analysis will give understanding of where and how these strings are used. So after debugging the  file in IDA. Malware collects machine information such as  “MachineGuid”, “ProductName”, “UserName”,  “ComputerName” and XOR it with DWORD then concat it and finally creates mutex of this name for the  particular system. After that malware tries to send data to the C&C server using a POST request. This is how that request  is constructed: Fig 8. Call to HttpSendRequestA The CnC server responded with the huge amount of data which seems to be encrypted. Fig 9. Response from CnC Server After more debugging the file, malware read data send by CnC server in memory by using “InternetReadFile”  api & then decrypted it using XOR algorithm with a 3 byte key. Some data at the end of the response buffer …

<b>&#10068; Deep analysis of AZORult – The information exfiltrator &#10068;</b>

<code>Estimated reading time: 5 minutesWhile the current focus in the cyberspace is on Ransomware and Cryptominers there are other prevalent threat actors silently making their way into victim’s machine in order to comprise it for malicious purpose. During the daily threat hunting task,Quick Heal Security labs came across a blocked URL by Quick Heal’s URL categorization cloud feature. Further analysis of the URL led us to a new variant of the “AZORult” infostealer malware. This malware harvests and exfiltrates data from the victim’s machine to the CnC server. In this post, we will dissect this malware and share interesting details about it. Below attack chain depicts the execution sequence observed for this malware. Fig 1. Attack Chain At the time of analysis, the initial attack vector was unknown but the attack chain was traced from malicious URL. Quick Heal Security labs suspected the initial attack vector to be Phishing email. URL: cw57146.tmweb.ru/upload/neut[.]exe During static analysis, sample seems to have a lot of the Flare in it. The ‘neut.exe’ file is PE32 executable for MS Windows and compiled as P-code file of Microsoft Visual Basic. It has various encrypted strings and contains large resource data of high entropy. Fig 2: Huge resource in CFF explorer Decompiled File has a function to disable DEP for the current process, it attempts to modify Explorer settings to prevent hidden files from being displayed and also loads huge resource in the memory. Fig 3: Decompiled File shows DEP policy and resource loading While traversing some more functions in the decompiled file. An obfuscated code was found which is passed to a function which de-obfuscates the data and forms a valid string. Fig. 4 Obfuscated Bytes After converting these hex values to ASCII, Code looks like it is base64 encoded. So after decoding it using base64 algorithm following strings are found. C:\ProgramData\worm.exe Hxxp://cw57146.tmweb.ru/upload/neut[.]exe Next function traversed has XOR algorithm along with some more operation which is applied on whole resource data. Decryption routine is shown through below snippet. Fig 5. Xor algorithm used to decrypt resource code After implementing this logic on the resource code, one PE file is found. Decrypted PE file is Delphi windows file and we are going forward to analyze this file. Statically checking file various base64 encode strings are found which are shown in the below image. Fig 6. Base64 encoded strings Decoding above strings using base64 algorithm, below result is found. These strings are used to collect system info like “UninstallDisplayName” & ”Uninstall” registry key is used to identify all the installed software in the system. “CreateToolhelp32Snapshot” is used to list out all the running processes. Software\Microsoft\Windows\CurrentVersion\UninstallDisplayName Software\Microsoft\Windows\CurrentVersion\Uninstall\DisplayVersion HARDWARE\DESCRIPTION\System\CentralProcessor\0 CreateToolhelp32Snapshot Some unencrypted strings are also there. Below snapshot has some of those strings: Fig 7. Strings found in Resource File Now further analysis will give understanding of where and how these strings are used. So after debugging the file in IDA. Malware collects machine information such as “MachineGuid”, “ProductName”, “UserName”, “ComputerName” and XOR it with DWORD then concat it and finally creates mutex of this name for the particular system. After that malware tries to send data to the C&C server using a POST request. This is how that request is constructed: Fig 8. Call to HttpSendRequestA The CnC server responded with the huge amount of data which seems to be encrypted. Fig 9. Response from CnC Server After more debugging the file, malware read data send by CnC server in memory by using “InternetReadFile” api & then decrypted it using XOR algorithm with a 3 byte key. Some data at the end of the response buffer has base64…

⚠ Google using lock screen passwords to encrypt Android Cloud backups ⚠

If, that is, your phone has updated to the Android 9 operating system, otherwise known as Pie. If so, say hi to the Titan chip!

📖 Read

via "Naked Security".