‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption […]

The post Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours appeared first on Security Intelligence.

https://securityintelligence.com/posts/patch-tuesday-exploit-wednesday-pwning-windows-ancillary-function-driver-winsock/

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as […]

The post When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule appeared first on Security Intelligence.

https://securityintelligence.com/posts/defensive-considerations-lazarus-fudmodule/

The Challenge with Using Cobalt Strike for Advanced Red Team Exercises While next-generation AI and machine-learning components of security solutions continue to enhance behavioral-based detection capabilities, at their core many still rely on signature-based detections. Cobalt Strike being a popular red team Command and Control (C2) framework used by both threat actors and red teams […]

The post Defining the Cobalt Strike Reflective Loader appeared first on Security Intelligence.

https://securityintelligence.com/posts/defining-cobalt-strick-reflective-loader/

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands […]

The post Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023 appeared first on Security Intelligence.

https://securityintelligence.com/posts/2023-x-force-threat-intelligence-index-report/

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put […]

The post Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers appeared first on Security Intelligence.

https://securityintelligence.com/posts/direct-kernel-object-manipulation-attacks-etw-providers/

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos […]

The post Kronos Malware Reemerges with Increased Functionality appeared first on Security Intelligence.

https://securityintelligence.com/kronos-malware-reemerges-increased-functionality/

On September 19, 2022, an 18-year-old cyberattacker known as “teapotuberhacker” (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website GTAForums.com. Gamers got an unsanctioned sneak peek of […]

The post An IBM Hacker Breaks Down High-Profile Attacks appeared first on Security Intelligence.

https://securityintelligence.com/posts/an-ibm-hacker-breaks-down-high-profile-attacks/

September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but […]

The post Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP” appeared first on Security Intelligence.

https://securityintelligence.com/posts/dissecting-exploiting-tcp-ip-rce-vulnerability-evilesp/

In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated […]

The post Self-Checkout This Discord C2 appeared first on Security Intelligence.

https://securityintelligence.com/posts/self-checkout-discord-c2/

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware […]

The post A View Into Web(View) Attacks in Android appeared first on Security Intelligence.

https://securityintelligence.com/posts/view-into-webview-attacks-android/

This post was written with contributions from Joseph Lozowski. Comprehensive incident preparedness requires building out and testing response plans that consider the possibility that threats will bypass all security protections. An example of a threat vector that can bypass security protections is “shadow IT” and it is one that organizations must prepare for. Shadow IT […]

The post Beware of What Is Lurking in the Shadows of Your IT appeared first on Security Intelligence.

https://securityintelligence.com/posts/beware-lurking-shadows-it/

Generation Z, which Pew Research Center defines as those born after 1996, is considered the first digital-native generation. This group of young people always has the latest technology at their fingertips. Yet even with this strong digital connection, the National Cybersecurity Alliance (NCSA) found that Gen Zers have higher cyber incident victimization rates than previous […]

The post How to Embed Gen Z in Your Organization’s Security Culture appeared first on Security Intelligence.

https://securityintelligence.com/posts/gen-z-cybersecurity-culture/

In September 2022, Microsoft patched an information disclosure vulnerability in SPNEGO NEGOEX (CVE-2022-37958). On December 13, Microsoft reclassified the vulnerability as “Critical” severity after IBM Security X-Force Red Security Researcher Valentina Palmiotti discovered the vulnerability could allow attackers to remotely execute code. The vulnerability is in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism, which allows […]

The post Critical Remote Code Execution Vulnerability in SPNEGO Extended Negotiation Security Mechanism appeared first on Security Intelligence.

https://securityintelligence.com/posts/critical-remote-code-execution-vulnerability-spnego-extended-negotiation-security-mechanism/

Applications have historically been deployed and created in a manner reminiscent of classic shopping malls. First, a developer builds the mall, then creates the various stores inside. The stores conform to the dimensions of the mall and operate within its floor plan. In older approaches to application development, a developer would have a targeted system or […]

The post Containers, Security, and Risks within Containerized Environments appeared first on Security Intelligence.

https://securityintelligence.com/posts/containers-security-risks-containerized-environments/

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this […]

The post RansomExx Upgrades to Rust appeared first on Security Intelligence.

https://securityintelligence.com/posts/ransomexx-upgrades-rust/

On the morning of July 9, 2012, the world braced for an “internet doomsday”: a full-scale crash of the global internet.  Except it didn’t happen. And that non-event represented the culmination of a long and successful coordinated action taken between a huge number of organizations, spearheaded by the FBI.  It was one of the most […]

The post How the DNSChanger Shutdown Changed Cybersecurity appeared first on Security Intelligence.

https://securityintelligence.com/articles/how-dnschanger-shutdown-changed-cybersecurity/

Threat actors — and particularly ransomware attackers — have education institutions in their crosshairs. From Vice Society’s September attack on schools in California to Snach’s late October assault on schools in Wisconsin, threat actors are not holding back when it comes to preying on schools. K-12 schools are the most vulnerable within the education industry, […]

The post Defending Education from Cyber Threat Attackers appeared first on Security Intelligence.

https://securityintelligence.com/posts/defending-education-cyber-threat-attackers/

Not so long ago, the Mac was thought to be impervious to viruses. In fact, Apple once stated on its website that “it doesn’t get PC viruses”. But that was before the Mac OS X Trojan Flashback malware appeared in 2012. Since then, Mac and iPhone security issues have changed dramatically — and so has […]

The post How the Mac OS X Trojan Flashback Changed Cybersecurity appeared first on Security Intelligence.

https://securityintelligence.com/articles/how-mac-trojan-flashback-changed-cybersecurity/

Not so long ago, the Mac was thought to be impervious to viruses. In fact, Apple once stated on its website that “it doesn’t get PC viruses”. But that was before the Mac OS X Trojan Flashback malware appeared in 2012. Since then, Mac and iPhone security issues have changed dramatically — and so has […]

The post How the Mac OS X Trojan Flashback Changed Cybersecurity appeared first on Security Intelligence.

https://securityintelligence.com/articles/how-mac-trojan-flashback-changed-cybersecurity-2/

As cyber threats increase in frequency and intensity worldwide, it has never been more crucial for governments and private organizations to work together to identify, analyze and combat attacks. Yet while the federal government has strongly supported this model of private-public information sharing, the reality is less than impressive. Many companies feel that intel sharing […]

The post Overcoming Distrust in Information Sharing: What More is There to Do? appeared first on Security Intelligence.

https://securityintelligence.com/articles/overcoming-distrust-information-sharing/