All posts by be4sec

Gold Mining Company’s Data on Sale

A threat actor advertises data of a Turkish gold mining company called Anagold in breached.co. breached.co is a forum created as an alternative to raidforums.com.

Anagold is a mining company which is a partner of Canadian SSR Mining company and has gold mines in Turkey. In the past months, there have been allegations of cyanide leaks in Turkey regarding the mining company.

According to the threat actor’s post, they are now sharing only 8GBs of data for now and more will be shared later. This data is also including some survey maps of gold reserves.

The company has not yet made a statement about the allegations.

Catch Threat Actors Using Cobalt Strike

Cobalt Strike is a legitimate, commercial penetration testing tool mostly used by red teams and for security trainings. However, it is widely used as cracked by threat actors for intrusion and lateral movement in their victims’ networks.

Google Cloud has released some open source YARA rules for detecting Cobalt Strike components dating back to 2012. This Yara rules set is including 165 detection signatures to scan more than 300 different Cobalt Strike binaries.

We are releasing to the community a set of open-source YARA Rules and their integration as a VirusTotal Collection to help the community flag and identify Cobalt Strike’s components and its respective versions. Since many threat actors rely on cracked versions of Cobalt Strike to advance their cyberattacks, we hope that by disrupting its use we can help protect organizations, their employees, and their customers around the globe” Google Cloud said in their post.

Cobalt Strike includes several features like discovery, payload creation, MS Office macro creation, website cloning, and so on. Many threat actors in the field have been observed using Cobalt Strike.

Beware of Fake/Malicious CVE PoCs

In recent years, it is very common to share PoC exploits for known vulnerabilities. It is very common to easily find several PoCs for vulnerabilitirs in GitHub. A researcher team from Leiden Institute of Advanced Computer Science announced that they discovered thousands of repositories on GitHub that offer fake PoC exploits for multiple vulnerabilities.

The discovery is including vulnerabilities discovered between 2017 and 2021. For these vulnerabilities, the team analyzed 47313 repositories and discovered that 4893 of them were malicious repositories. These repositories were used by threat actors to spread malware. The researchers analyzed a total of 358277 IP addresses, 150734 of them were unique IPs and 2864 were blacklisted.

A given example for fake PoC is for the CVE-2019-0708 vulnerability. “This repository was created by a user under the name Elkhazrajy. The source code contains a base64 line that once decoded will be running. It contains another Python script with a link to Pastebin28 that will be saved as a VBScript, then run by the first exec command. After investigating the VBScript we discovered that it contains the Houdini malware” written in the document the team provided.

It seems like this fake PoCs will go on for both newly discovered and legacy vulnerabilities. Even if PoCs are not malicious, these PoCs are making exploitations accessible for public and also for less experienced attackers also. So, as soon as a vulnerability is discovered, it is very likely to be exploited until it is patched. Because of this situation, security teams need to prioritize and patch critical vulnerabilities faster. This also shows the importance of using a professional intelligence service for prioritizing vulnerabilities according to organization’s threat profile that detected by the intelligence service again.

Does Qatar Requires Visitors to Install App on Their Mobile Phones?

Qatar is the first Arabic country that will host World Cup and also this year is an exception for World Cup since it will be done in winter. It will be hosted from 20th of November to 18th of December.

Surely, World Cup is one of the biggest sport organizations in the world and thousands of football fans all over the world are planning to join this organization. However Qatar requires visitors to install two different applications on their mobile phones.

As the news, according to Øyvind Vasaasen, Head of Security at NRK, visitors must not bring their mobile phones to Qatar.

One of the must-install applications is Ehteraz. It is a Covid-19 tracking application and required for visitors older than 18. This application is tracking users’ location. It was used for infected individuals to enforce quarantine during Covid-19 in Qatar. It was also discovered that the app wants permission to “read, delete or change all content on the phone, as well as access to connect to WiFi and Bluetooth, override other apps and prevent the phone from switching off to sleep mode.

The other must-install application is Hayya. It is an application helping visitors to get their tickets and also giving access to free metro service in Qatar. Similarly, Hayya can get visitors’ location and also view network connections.

It seems like with installing these two applications, you give the people who control the apps the ability to read your data in your phone, and control it. It can also give a chance to retrieve information from other applications in the phone.

Beware of Fake Job Ads.

There seems to be a significant increase in incidents resulting from fake job postings. It seems that the widespread use of remote work after Covid has an effect on this. These fake ads – job scams – often manage to attract employees with remote working conditions and high salaries.

Job Scams

Lastly, North Korean APT38 (aka Lazarus) group targeted employees with fake job posting emails. The attackers were impersonating the Coinbase company and their emails appeared to be coming from Coinbase. Coinbase is one of the world’s biggest and most popular cryptocurrency exchanges.

Subject: BITCOIN JOB OPPORTUNITY 

Not familiar with BITCOIN? Then this is an opportunity for you to learn & make money. COINBASE  COMPANY ( A secure platform that makes it easy to buy, sell, and store cryptocurrency like Bitcoin, Ethereum)  seek INDIVIDUALS who can VISIT at least “one” BITCOIN ATM every week for survey.  
Weekly pay is $350. No specific time required as long as work is completed in a timely manner. 
For more information’s, Please Email Coordinator Brian at (external email address) for more information 
NOTE: Candidates should email (only) with their PERSONAL EMAIL Address for consideration. 
Sincerely,

How is it working?

What you see above is an example of an email sent by the North Korean group under the name Coinbase. Attackers firstly create fake job postings on LinkedIn and fake websites exactly the same of the original website and directs victims to these fake websites via LinkedIn and emails. When the victim gets an email after applying the job in the fake website. These emails may contain harmful files or sometimes attackers go on with social engineering with having job interviews with the victims.

Also, fake SMS is another common method. Attackers are sending SMS that appears to be from HR managers of companies.

Access to Central Bank is for Sale

A threat actor, called ‘4c3’ selling access to a central bank. The threat actor did not disclose the name of the bank.

The ad posted today, in exploit.in website. The threat actor did not disclose the name of the bank but gave some information like the bank has Symantec as EDR and around 10k machines, mostly running Windows. The bank is using Flexcube database too.

The threat actor is claiming that she/he can give VPN access for the central bank and all passwords of domain dump.

The threat actor announced that she/he is not giving the name of the bank publicly and she/he can give it only via private chat.

exploit.in is a very popular Russian undergroun hacking forum.

Russian Threat Actors are Preparing to Attack Azerbaijan

Large-scale cyber attacks against the electronic information resources of Azerbaijan have been prepared.

The Center for Combating Computer Incidents of the State Service of Special Communication and Information Security of Azerbaijan released information about this.

“The Center for Combating Computer Incidents of the Special Communication and Information Security State Service (XRITDX) monitors cyber attacks against our country 24/7 and successfully prevents DDOS and other types of cyber attacks against state information resources since 03.05.2022.”

“XRITDX calls on state and non-state information resource administrators, as well as our citizens, to be careful and vigilant against phishing attacks.”

Today, posts about Azerbaijan in many Russian telegram channels attracted attention. It is mentioned that the threat actor will attack to government targets of Azerbaijan for a few weeks.

Later, the sharing of information about some of Azerbaijan’s airports and important gas station networks in Telegram groups drew attention too.

We will try to share the developments on the subject as soon as possible.

Solana Blockchain is Under Attack

Solana announced that an attack affected more than 7700 wallets. The exploit affected several wallets, including Slope and Phantom.

Experts recommend that affected wallets should be transferred to cold wallets, and for those who do not have cold wallet, transferring all fund to a centralized exchange will be a good option.

Analysts says that technique of the attack is still unknown and a bug may cause this instead of Solana blockchain itself. A 0-day vulnerability seems more possible to gain access to such a large number of private keys.

According to Elliptic, blockchain analyzer, $5.8 Million crypto asset stolen just in August, including SOL, USD and NFT.

TTP-Based Threat Hunting – Why and How?

In its simplest definition, threat hunting is a process to identify whether adversaries reached to the organization’s network or not.

Despite many precautions taken at the perimeter level and many technologies used, breaches cannot be prevented. As a result of this situation, technologies to detect whether an attacker is inside have also come to the fore in recent years. EDRs and NDRs are mostly developed and used for detecting and they use many different methods for this.

Pyramid of Pain

In the event of a breach, the most important way to lower dwell time is to implement a regular and continuous threat hunting process. Earlier, as discussed in pyramid of pain, there are several methods for threat hunting like using signatures, IoCs, anomaly detection or TTPs.

A signature can be IP addresses, domains, or file hashes about the threat actor but as you can see above, they are at the bottom of the pyramid. Because they can be changed very easily by the attacker and these information mostly include false positives. When attackers register a new domain, or get a new IP address, it will be a 0-day for the organization and will be impossible to detect the attack via IoC sweep.

Therefore, using the attackers’ TTPs for threat hunting will give much more accurate results. Attackers do not change the techniques that they are using frequently, especially if they have been successful before with these techniques. The MITRE ATT&CK framework is the best way for this technique. Many organizations have adapted their infrastructure to miter or continue to work on this issue. If they haven’t started this yet, they should start as soon as possible.

Threat Intelligence: For a better and continuous threat hunting, threat intelligence is essential. There are lots of techniques and tactics in Att&ck and analysts must decide with threat intel where to start. For a start, it may be a good method to start by identifying the actors that will threaten them depending on the country, region and sector of the organization. This process will prioritize TTPs for hunting. It must be ensured that the threat intel provides this information up-to-date.

Developing Hypotheses: After prioritizing the TTPs for hunting, next step is to creating the hypotheses. This step means determining the data that should be collected to detect the adversarial behavior. According to the required data, it is determined with which security controls the detection should be made.

At this stage, also there is a need to make a gap analysis to be ensure that we can detect all the related activity. If necessary, other security controls should be added. This process can be done with security validation tools like Verodin, since In Verodin all tests and reports are Att&ck based. Hunt teams should correct both they can get needed logs from every piece of the network and these logs are sent to SIEM regularly. So Verodin also should be used for these steps.

This data selection phase also provides to use SIEM more effective. By understanding the adversarial techniques, organizations can reduce the log size by reducing the volume of data collected. This will also allow analysts to encounter fewer false positive alerts and saves time.

The most annoying thing in SIEM administration is the volume of data. Thus, while we are getting data from host or network security controls, we should carry out that we do not send useless data to the SIEM. Be careful about both EDR and especially NDR solutions can create huge amount of data.

Reward for Conti Up To $15m

In may, we announced that The Department of State is offering a reward of up to $10M for information leading to the identification and/or location of any leaders of the Conti ransomware group. Additional $5M reward for any information conspiring Conti.

On 25th of July, The Department of State increased the reward to $15M for information that could identify Conti members. Additional $5M offering for data that will allow to arrest the members is also still existing.

Conti has involved lots of cyber attacks.