The vulnerability refers to a type confusion bug in the WebKit browser engine
Monthly Archives: March 2023
France Bans TikTok, Other ‘Fun’ Apps From Government Devices
The move is expected to affect roughly 2.5 million government officials
Data loss from insider events increase despite IRM programs: Report
A vast majority of companies are struggling with data losses from insider events despite having dedicated insider risk management (IRM) programs in place, according to a data exposure report commissioned by Code 42.
The study conducted by Vanson Bourne, an independent research firm for technology companies, interviewed 700 cybersecurity professionals, managers, and leaders in the US between January and February.
“Insider incidents are growing and it’s not surprising as we have settled into a hybrid-work arrangement,” said Joe Payne, president and CEO of Code42. “Everything being digitized these days, irrespective of the business you are in, makes for a very easy passage of data by simply clicking through desktops, either intentionally or accidentally.”
Security Vulnerabilities in Snipping Tools
Both Google’s Pixel’s Markup Tool and the Windows Snipping Tool have vulnerabilities that allow people to partially recover content that was edited out of images.
golang-1.20.2-1.fc38
FEDORA-2023-8ee7d4a8e3
Packages in this update:
golang-1.20.2-1.fc38
Update description:
go1.20.2 (released 2023-03-07) includes a security fix to the crypto/elliptic package, as well as bug fixes to the compiler, the covdata command, the linker, the runtime, and the crypto/ecdh, crypto/rsa, crypto/x509, os, and syscall packages. See the Go 1.20.2 milestone on the upstream issue tracker for details.
golang-1.19.7-1.fc36
FEDORA-2023-7442702a7d
Packages in this update:
golang-1.19.7-1.fc36
Update description:
go1.19.7 (released 2023-03-07) includes a security fix to the crypto/elliptic package, as well as bug fixes to the linker, the runtime, and the crypto/x509 and syscall packages. See the Go 1.19.7 milestone on the upstream issue tracker for details.
golang-1.19.7-1.fc37
FEDORA-2023-dc0a020a2e
Packages in this update:
golang-1.19.7-1.fc37
Update description:
go1.19.7 (released 2023-03-07) includes a security fix to the crypto/elliptic package, as well as bug fixes to the linker, the runtime, and the crypto/x509 and syscall packages. See the Go 1.19.7 milestone on the upstream issue tracker for details.
Dridex malware, the banking trojan
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article.
Introduction:
Dridex, also known as Cridex or Bugat, is a banking Trojan that has been active since 2011. The malware is primarily used to steal sensitive information, such as login credentials and financial information, from victims. Dridex is known for its ability to evade detection by using dynamic configuration files and hiding its servers behind proxy layers.
The Dridex malware typically spreads through spam email campaigns, with the emails containing a malicious attachment or link that, when clicked, will install the malware on the victim’s computer. The malware then uses web injections to steal financial information from the victim.
One of the interesting features of Dridex is its use of a peer-to-peer (P2P) network for command and control (C&C) communication. This allows the attackers to evade detection by security researchers and law enforcement, as the C&C servers can be quickly changed if one is discovered.
In terms of atomic techniques, Dridex uses a variety of methods to evade detection and maintain persistence on an infected system. Some of these techniques include:
Fileless infection: Dridex can infect a system without leaving any trace of a malicious file on the hard drive.
Process hollowing: Dridex can inject its code into a legitimate process in order to evade detection by security software.
Anti-debugging and anti-virtualization: Dridex can detect if it is running in a virtualized environment or if it is being debugged, and will terminate itself if it is.
Dridex is a well-known and sophisticated banking trojan that has been active for more than a decade, the malware has been known to target financial institutions, businesses, and individuals. Despite the arrest of one of its administrators in 2015, the malware continues to be active and evolve.
Recent infection on Macs:
The recent variant of Dridex malware that targets MacOS systems delivers malicious macros via documents in a new way. The malware typically spreads through spam email campaigns, with the emails containing a malicious attachment or link that, when clicked, will install the malware on the victim’s computer. The variant overwrites document files to carry Dridex’s malicious macros, but currently, the payload it delivers is a Microsoft exe file, which won’t run on a MacOS environment. This suggests that the variant may still be in the testing stages and not yet fully converted to work on MacOS machines. However, it’s possible that the attackers will make further modifications to make it compatible with MacOS in the future.
Once the malware is installed on the system, it searches for files with .doc extensions and overwrites them with the malicious code. The overwritten code has a D0CF file format signature, implying it is a Microsoft document file. This means that the malicious macros are delivered via document files, which makes it harder for the user to determine if the file is malicious or not.
The malware also uses basic string encryption to hide the malicious URL it connects to in order to retrieve a file. This method of delivery is different from the traditional method of delivery, which is through email attachments. This shows that the attackers behind Dridex are trying to find new targets and more efficient methods of entry.
How it works:
Dridex is a banking Trojan that is typically distributed through phishing email campaigns. The malware is delivered as an attachment, often in the form of a Word or Excel document, that contains a malicious macro. Once the macro is enabled, it will download and execute the Dridex payload on the victim’s system.
Once installed, Dridex can perform a variety of malicious actions, including keylogging, capturing screenshots, and stealing login credentials. The malware can also be used to create a botnet, allowing the attackers to remotely control the infected systems.
Dridex uses web injects, which are modules that can inject HTML or JavaScript code into a web page before it is rendered. This allows the malware to manipulate the appearance of web pages and trick the user into entering sensitive information, such as login credentials or credit card numbers. The malware can then send this information to its command and control (C2) server.
Dridex uses a variety of techniques to evade detection and maintain persistence on an infected system. These include using code injection to infect other processes, using named pipes to communicate with other processes, and using anti-debugging and anti-virtualization techniques to evade analysis.
In addition, Dridex uses a technique called “Heaven’s Gate” to bypass Windows’ WoW64 (Windows 32-bit on Windows 64-bit) layer, allowing it to execute 64-bit code on a 32-bit system. This technique involves using a feature in Windows that allows 32-bit applications to call 64-bit functions. By running malware code in a 64-bit environment, Dridex evades detection and anti-analysis by security tools that are not designed to detect 64-bit malware on 32-bit systems.
Remediation:
1. Isolate and remove the malware: Identify and isolate any infected systems and remove the malware using reputable anti-virus software.
2. Change all passwords: Dridex malware is known to steal login credentials, so it is important to change all passwords on the affected systems.
3. Patch the system: Ensure that all systems are fully patched and updated with the latest security fixes.
4. Use endpoint protection: Implement endpoint protection software to detect and block Dridex malware and other malicious software.
5. Monitor network traffic: Monitor network traffic for suspicious activity and use intrusion detection systems (IDS) to detect and block malicious traffic.
6. Employee education: Educate employees on how to identify and avoid phishing scams, and to be cautious when opening email attachments or clicking on links.
7. Regular backups: Regularly backup important data and keep backups in a secure location.
8. Use a firewall: Use a firewall to block incoming and outgoing connections from known malicious IP addresses.
Conclusion:
In conclusion, Dridex is a well-known banking trojan that has been active since 2012, targeting financial institutions and their customers. The malware is typically distributed through phishing email campaigns, using attachments or links that lead to the downloading of the malware. Once on a system, Dridex can use various techniques to steal sensitive information and uses a technique called web injection to manipulate web pages and steal credentials. Remediation efforts should include monitoring for suspicious activity, blocking known malicious IPs and domains, keeping software updated, and educating users on how to identify and avoid phishing attempts. Additionally, monitoring for known indicators of compromise and inspecting processes and dll files that are known to be targeted by Dridex can help detect and prevent Dridex infections.
This author is from www.perimeterwatch.com
Four Years Behind Bars for Prolific BEC Scammer
Office of the Director of National Intelligence highlights cyber threats in 2023 Intelligence Threat Assessment
When the Office of the Director of National Intelligence (ODNI) highlights a threat in its unclassified assessment and intimates that there is substantive supporting evidence available, one should not sit back and let the data points pass idly by — and we aren’t. The ODNI minced no words as they addressed China, Russia, North Korea, and Iran as the key nation-states responsible for cyber threats and then continued to highlight other non-state actors that are equally worthy of our attention in the 2023 Threat Assessment.