❌ Up to 35 Million 2018 Voter Records For Sale on Hacking Forum ❌

Just weeks before the midterms, voter information from 19 states has turned up on the Dark Web.

📖 Read

via "The first stop for security news | Threatpost ".

🕴 Millions of Voter Records Found for Sale on the Dark Web 🕴

Voter registration databases from 19 US states are being hawked in an underground hacking forum, researchers say.

📖 Read

via "Dark Reading: ".

🕴 IBM Builds 'SOC on Wheels' to Drive Cybersecurity Training 🕴

A tractor trailer housing a Cyber Tactical Operation Center will travel throughout the US and Europe for incident response training, security support, and education.

📖 Read

via "Dark Reading: ".

🕴 6 Security Trends for 2018/2019 🕴

Speaking at the Gartner Symposium/ITxpo, analyst Peter Firstbrook's list of trends is likely to inform executive committee conversations for the next 12 months.

📖 Read

via "Dark Reading: ".

🕴 6 Security Trends for 2018/2019 🕴

Speaking at the Gartner Symposium/ITxpo, analyst Peter Firstbrook's list of trends is likely to inform executive committee conversations for the next 12 months.

📖 Read

via "Dark Reading: ".

🕴 6 Security Trends for 2018/2019 🕴

Speaking at the Gartner Symposium/ITxpo, analyst Peter Firstbrook's list of trends is likely to inform executive committee conversations for the next 12 months.

📖 Read

via "Dark Reading: ".

⚠ How to buy (and set up) a safe and secure baby monitor ⚠

Wi-Fi enabled or not? Digital or analog? Here are the features to look for, and how to secure your baby monitor out of the box.

📖 Read

via "Naked Security".

<b>&#10068; Deep analysis of AZORult – The information exfiltrator &#10068;</b>

<code>Estimated reading time: 5 minutesWhile the current focus in the cyberspace is on Ransomware and Cryptominers there are other prevalent threat actors silently making their way into victim’s machine in order to comprise it for malicious purpose. During the daily threat hunting task,Quick Heal Security labs came across a blocked URL by Quick Heal’s URL categorization cloud feature. Further analysis of the URL led us to a new variant of the “AZORult” infostealer malware. This  malware harvests and exfiltrates data from the victim’s machine to the CnC server. In this post, we will dissect  this malware and share interesting details about it. Below attack chain depicts the execution sequence observed for this malware. Fig 1. Attack Chain At the time of analysis, the initial attack vector was unknown but the attack chain was traced from malicious  URL. Quick Heal Security labs suspected the initial attack vector to be Phishing email. URL: cw57146.tmweb.ru/upload/neut[.]exe During static analysis, sample seems to have a lot of the Flare in it. The ‘neut.exe’ file is PE32 executable for MS Windows and compiled as P-code file of Microsoft Visual Basic. It has various encrypted strings and contains  large resource data of high entropy. Fig 2: Huge resource in CFF explorer Decompiled File has a function to disable DEP for the current process, it attempts to modify Explorer settings to prevent hidden files from being displayed and also loads huge resource in the memory. Fig 3: Decompiled File shows DEP policy and resource loading While traversing some more functions in the decompiled file. An obfuscated code was found which is passed to a function which de-obfuscates the data and forms a valid string. Fig. 4 Obfuscated Bytes After converting these hex values to ASCII, Code looks like it is base64 encoded. So after decoding it using  base64 algorithm following strings are found. C:\ProgramData\worm.exe Hxxp://cw57146.tmweb.ru/upload/neut[.]exe Next function traversed has XOR algorithm along with some more operation which is applied on whole resource data. Decryption routine is shown through below snippet. Fig 5. Xor algorithm used to decrypt resource code After implementing this logic on the resource code, one PE file is found. Decrypted PE file is Delphi windows file and we are going forward to analyze this file. Statically checking file various base64 encode strings are found which are shown in the below image. Fig 6. Base64 encoded strings Decoding above strings using base64 algorithm, below result is found. These strings are used to collect system  info like “UninstallDisplayName” & ”Uninstall” registry key is used to identify all the installed software in the  system. “CreateToolhelp32Snapshot” is used to list out all the running processes. Software\Microsoft\Windows\CurrentVersion\UninstallDisplayName Software\Microsoft\Windows\CurrentVersion\Uninstall\DisplayVersion HARDWARE\DESCRIPTION\System\CentralProcessor\0 CreateToolhelp32Snapshot Some unencrypted strings are also there. Below snapshot has some of those strings: Fig 7. Strings found in Resource File Now further analysis will give understanding of where and how these strings are used. So after debugging the  file in IDA. Malware collects machine information such as  “MachineGuid”, “ProductName”, “UserName”,  “ComputerName” and XOR it with DWORD then concat it and finally creates mutex of this name for the  particular system. After that malware tries to send data to the C&C server using a POST request. This is how that request  is constructed: Fig 8. Call to HttpSendRequestA The CnC server responded with the huge amount of data which seems to be encrypted. Fig 9. Response from CnC Server After more debugging the file, malware read data send by CnC server in memory by using “InternetReadFile”  api & then decrypted it using XOR algorithm with a 3 byte key. Some data at the end of the response buffer …

<b>&#10068; Deep analysis of AZORult – The information exfiltrator &#10068;</b>

<code>Estimated reading time: 5 minutesWhile the current focus in the cyberspace is on Ransomware and Cryptominers there are other prevalent threat actors silently making their way into victim’s machine in order to comprise it for malicious purpose. During the daily threat hunting task,Quick Heal Security labs came across a blocked URL by Quick Heal’s URL categorization cloud feature. Further analysis of the URL led us to a new variant of the “AZORult” infostealer malware. This malware harvests and exfiltrates data from the victim’s machine to the CnC server. In this post, we will dissect this malware and share interesting details about it. Below attack chain depicts the execution sequence observed for this malware. Fig 1. Attack Chain At the time of analysis, the initial attack vector was unknown but the attack chain was traced from malicious URL. Quick Heal Security labs suspected the initial attack vector to be Phishing email. URL: cw57146.tmweb.ru/upload/neut[.]exe During static analysis, sample seems to have a lot of the Flare in it. The ‘neut.exe’ file is PE32 executable for MS Windows and compiled as P-code file of Microsoft Visual Basic. It has various encrypted strings and contains large resource data of high entropy. Fig 2: Huge resource in CFF explorer Decompiled File has a function to disable DEP for the current process, it attempts to modify Explorer settings to prevent hidden files from being displayed and also loads huge resource in the memory. Fig 3: Decompiled File shows DEP policy and resource loading While traversing some more functions in the decompiled file. An obfuscated code was found which is passed to a function which de-obfuscates the data and forms a valid string. Fig. 4 Obfuscated Bytes After converting these hex values to ASCII, Code looks like it is base64 encoded. So after decoding it using base64 algorithm following strings are found. C:\ProgramData\worm.exe Hxxp://cw57146.tmweb.ru/upload/neut[.]exe Next function traversed has XOR algorithm along with some more operation which is applied on whole resource data. Decryption routine is shown through below snippet. Fig 5. Xor algorithm used to decrypt resource code After implementing this logic on the resource code, one PE file is found. Decrypted PE file is Delphi windows file and we are going forward to analyze this file. Statically checking file various base64 encode strings are found which are shown in the below image. Fig 6. Base64 encoded strings Decoding above strings using base64 algorithm, below result is found. These strings are used to collect system info like “UninstallDisplayName” & ”Uninstall” registry key is used to identify all the installed software in the system. “CreateToolhelp32Snapshot” is used to list out all the running processes. Software\Microsoft\Windows\CurrentVersion\UninstallDisplayName Software\Microsoft\Windows\CurrentVersion\Uninstall\DisplayVersion HARDWARE\DESCRIPTION\System\CentralProcessor\0 CreateToolhelp32Snapshot Some unencrypted strings are also there. Below snapshot has some of those strings: Fig 7. Strings found in Resource File Now further analysis will give understanding of where and how these strings are used. So after debugging the file in IDA. Malware collects machine information such as “MachineGuid”, “ProductName”, “UserName”, “ComputerName” and XOR it with DWORD then concat it and finally creates mutex of this name for the particular system. After that malware tries to send data to the C&C server using a POST request. This is how that request is constructed: Fig 8. Call to HttpSendRequestA The CnC server responded with the huge amount of data which seems to be encrypted. Fig 9. Response from CnC Server After more debugging the file, malware read data send by CnC server in memory by using “InternetReadFile” api & then decrypted it using XOR algorithm with a 3 byte key. Some data at the end of the response buffer has base64…

⚠ Google using lock screen passwords to encrypt Android Cloud backups ⚠

If, that is, your phone has updated to the Android 9 operating system, otherwise known as Pie. If so, say hi to the Titan chip!

📖 Read

via "Naked Security".

🕴 6 Reasons Why Employees Violate Security Policies 🕴

Get into their heads to find out why they're flouting your corporate cybersecurity rules.

📖 Read

via "Dark Reading: ".

⚠ How Chrome and Firefox could ruin your online business this month ⚠

Last year, Symantec sold off its web certificate business. The new owners are reissuing certs for free - but there's a deadline looming!

📖 Read

via "Naked Security".

⚠ US embassy accidentally emails invitation to ‘cat pyjama-jam’ meeting ⚠

Canberra’s US embassy accidentally exposed details of one of its more enticing get-togethers last week, featuring a cat in a Cookie Monster outfit.

📖 Read

via "Naked Security".

🕴 6 Reasons Why Employees Violate Security Policies 🕴

Get into their heads to find out why they're flouting your corporate cybersecurity rules.

📖 Read

via "Dark Reading: ".

🔐 Forecasting credential stuffing threats 🔐

From password vaults to two-factor authentication, Andy Ellis of Akamai explains defensive tactics against password stuffing.

📖 Read

via "Security on TechRepublic".

🕴 Spies Among Us: Tracking, IoT & the Truly Inside Threat 🕴

In today's ultra-connected world, it's important for users to understand how to safeguard security while browsing the web and using electronic devices.

📖 Read

via "Dark Reading: ".

❌ Privacy Regulation Could Be a Test for States’ Rights ❌

As more states take cybersecurity and privacy issues into their own hands, experts worry that big tech will push for preemption.

📖 Read

via "The first stop for security news | Threatpost ".

🕴 6 Reasons Why Employees Violate Security Policies 🕴

Get into their heads to find out why they're flouting your corporate cybersecurity rules.

📖 Read

via "Dark Reading: ".

❌ Facebook Expands Efforts to Squash Voter Suppression ❌

The social network will crack down on those spreading disinformation in an effort to keep people away from the polls.

📖 Read

via "The first stop for security news | Threatpost ".

❌ ThreatList: Half of Execs Feel Unprepared to Respond to a Cyber-Incident ❌

Deloitte estimates cybercrime costs to reach $6 trillion annually -- but companies still lag in preparedness.

📖 Read

via "The first stop for security news | Threatpost ".

🔐 How to train your employees to avoid online scams: 5 tips 🔐

According to Microsoft, online scammers are still tricking people with tech support scams, but there are ways to stay safe.

📖 Read

via "Security on TechRepublic".