Search the Community

Cybercriminals pilfered an average of 50.9 login credentials per device, evidence of the pressing need for cybersecurity measures. The post 10 Million Devices Were Infected by Data-Stealing Malware in 2023 appeared first on Security Boulevard. View the full article

Visa is warning its partners, clients, and customers, of an ongoing phishing attack that aims to deliver a banking trojan. The Visa Payment Fraud Disruption (PDF) unit sent out a security alert to card issuers, processors, and acquirers, noting it had observed a new phishing campaign that started in late March this year. The campaign targets mostly financial institutions in South and Southeast Asia, the Middle East, and Africa, and aims to drop a new version of the banking trojan called JsOutProx. "While PFD could not confirm the ultimate goal of the recently identified malware campaign, this eCrime group may have previously targeted financial institutions to conduct fraudulent activity." Impersonating legitimate institutions Unfortunately, we don’t know the name of the threat actor behind the campaign, or the number of companies that fell victim. The researchers speculate, based on the sophistication of the attacks, the profile of the victims, and their geographical location, that the attackers are most likely China-based, or at least China-affiliated. We also know is that JsOutProx is a remote access trojan that was first spotted in late 2019, and is described as a “highly obfuscated” JavaScript backdoor that allows its users to run shell commands, download additional malware, run files, grab screenshots, control various peripherals, and establish persistence on the target endpoint. It’s hosted on a GitLab repository, apparently. In the phishing emails, the attackers are impersonating legitimate institutions, showing victims fake SWIFT and MoneyGram payment notifications. Phishing remains one of the most lucrative ways to deploy malware. It’s cheap and easily scalable, and now with the help of generative artificial intelligence, relatively difficult to spot. IT teams are advised to educate their employees to identify a phishing attack, as well as to install email security software, firewalls, and antivirus tools. Via BleepingComputer More from TechRadar Pro The US government is now investigating the Change Healthcare cyberattackHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

Cybersecurity researchers from Trend Micro have uncovered a brand new piece of malware that uses an unusual method of hiding from antivirus programs. The malware is called UNAPIMON, and is apparently being used by Winnti, an established Chinese state-sponsored threat actor that was behind some of the most devastating attacks against governments, hardware and software vendors, think tanks, and more. According to Trend Micro, many malware variants are using a method known as API hooking to eavesdrop on calls, grab sensitive data, and tweak different software. Therefore, many security tools also use API hooking to track the malware. Simplicity and originality "With UNAPIMON, things are different. It uses Microsoft Detours for hooking the CreateProcessW API function, which allows it to unhook critical API functions in child processes. As a result, it successfully evades antivirus detection. A unique and notable feature of this malware is its simplicity and originality," Trend Micro said in its report. "Its use of existing technologies, such as Microsoft Detours, shows that any simple and off-the-shelf library can be used maliciously if used creatively. This also displayed the coding prowess and creativity of the malware writer." "In typical scenarios, it is the malware that does the hooking. However, it is the opposite in this case." Using Microsoft Detours in this regard has other benefits, too, the researchers explained. As this is a legitimate debugging tool, it even evades behavioral detection. In its writeup, BleepingComputer described Winnti hackers as “known for their novel methods of evading detection when conducting attacks.” Back in 2020, the group was spotted abusing Windows print processors to hide a piece of malware and persist on the target network. Two years later, they broke a Cobalt Strike beacon into more than a hundred pieces, and only reconstructed it when they needed to use it. More from TechRadar Pro Linux version of Winnti malware foundHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

A new version of a known Android banking trojan is making rounds on the internet, stealing sensitive data, and possibly even money, from its victims. Cybersecurity researchers from NCC Group’s Fox-IT sounded the alarm of a new, upgraded version of the Vultur banking trojan, first spotted in early 2021 but having received a number of important changes and upgrades since then. While previous versions were being distributed via dropper apps that were smuggled onto the Play Store, this new version uses a combination of smishing and legitimate app abuse. The researchers said that the attackers would first send an SMS message to their victims, warning them of an unauthorized payment transaction and sharing a phone number for the victim to call. Full takeover If the victim takes the bait and calls the number, the attacker then persuades them to download a compromised version of the McAfee Security app. While on the surface the app works as intended, in the background it delivers the Brunhilda malware dropper. This dropper drops three payloads, including two APKs and a DEX file which, after obtaining Accessibility Services, establish a connection with the command and control (C2) server, and grant the attackers remote control over the Android device. For a trojan, Vultur is quite competent. It can record the screen, log keystrokes, and grant the attackers remote access via AlphaVNC and ngrok. Furthermore, it allows the attackers to download and upload files, install apps, delete files, click, scroll, and swipe through the device, and block different apps from running. It can also display custom notifications and disable Keyguard to bypass the lock screen. Finally, Vultur encrypts its C2 communications to further evade detection. As usual, the best way to defend against these threats is to use common sense, and only download apps from legitimate, proven repositories. Via BleepingComputer More from TechRadar Pro This nasty new Android malware can easily bypass Google Play security — and it's already been downloaded thousands of timesHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

A dangerous espionage malware, previously only used against Windows devices, is increasingly being observed on Linux machines, too, experts have warned. Following earlier reports by ESET and Trend Micro, Kaspersky is now warning of the Dinodas Remote Access Trojan (RAT), signaling the rising popularity of the malware. Kaspersky claims the backdoor is “fully functional, granting the operator complete control over the infected machine, enabling data exfiltration and espionage”. DinodasRAT is designed to monitor, control, and steal data from target endpoints. Besides stealing data, it can run processes, create a remote shell for direct command, or file execution, update and upgrade itself, uninstall itself and delete all traces of its existence. XDealer and DinodasRAT Older reports indicate that DinodasRAT is a Linux version of a known Windows RAT dubbed XDealer. Earlier in March, Trend Micro observed the Chinese APT group known as “Earth Krahang” using XDealer against both Windows and Linux systems belonging to “governments worldwide”. The researchers did not detail how the attackers managed to drop the malware onto target endpoints, but did stress that since October 2023, the targets were mostly located in China, Taiwan, Turkey, and Uzbekistan. Today, many nation-states are engaged in cyber-warfare, disrupting operations and stealing sensitive data from their adversaries. Besides China, there are notable threats coming from North Korea (Lazarus Group, for example), Russia (Fancy Bear), Iran (Scarred Manticore), and others. With war raging in Ukraine, China eyeing Taiwan, Israel engaged against Hamas, as well as other potential hotpots (the issues of migration in both Europe and the States, U.S. presidential elections), it is no wonder that not a day goes by without news of state-sponsored hacking groups engaging in cyber-espionage. The rising popularity of DinodasRAT only demonstrates the increasing use of Linux-powered devices in government agencies around the world. Via BleepingComputer More from TechRadar Pro UK intelligence services are stepping up against Chinese cyberspiesHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

Python Package Index (PyPI), the largest repository of Python packages, has once again been forced to suspend new account and new project registrations. Cybersecurity experts from both Checkmarx and Check Point observed a large-scale cyberattack in which threat actors tried to upload hundreds of malicious packages to the platform, in an attempt to compromise software developers and mount supply chain attacks. The packages mimic legitimate ones already uploaded to PyPI, an attack usually called “typosquatting”. It relies on developers being reckless and picking up the malicious version of the package, instead of the legitimate one. While Checkmarx says the attackers tried to upload some 365 packages, Check Point claims at least 500. Regardless of the total number, the attack’s goal is to get the victims to install an infostealer with persistence capabilities. This infostealer grabs, among other things, passwords stored in browsers, cookies, and cryptocurrency wallet-related information. Registrations reopened PyPi seems to have addressed the issue in the meantime, as at the time of writing, registrations were reopened. PyPI is the world’s biggest repository for open-source Python packages, and as such, is facing a constant barrage of cyberattacks. In late May 2023, the platform was forced to do the same thing, as it faced an “unimaginable flood of malicious code” being uploaded to the platform. In an announcement posted on the PyPI status page, the organization said: “The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion, especially with multiple PyPI administrators on leave.” It took the company the entire weekend to lift the suspension. Via BleepingComputer More from TechRadar Pro The huge rise in AI and ML transactions are putting businesses at riskHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

Emergency stop button: The Python Package Index was drowning in malicious code again, so they had to shut down registration for cleanup. The post PyPI Goes Quiet After Huge Malware Attack: 500+ Typosquat Fakes Found appeared first on Security Boulevard. View the full article

Cybersecurity researchers from Checkmarx have discovered a new infostealing campaign that leveraged typosquatting and stolen GitHub accounts to distribute malicious Python packages to the PyPI repository. In a blog post, Tal Folkman, Yehuda Gelb, Jossef Harush Kadouri, and Tzachi Zornshtain of Checkmarx said they discovered the campaign after a Python developer complained about falling victim to the attack. Apparently, the company believes more than 170,000 people are at risk. Infostealers and keyloggers The attackers first took a popular Python mirror, Pythonhosted, and created a typosquatted website version. They named it PyPIhosted. Then, they grabbed a major package, called Colorama (150+ million monthly downloads), added malicious code to it, and then uploaded it on their typosquatted-domain fake-mirror. “This strategy makes it considerably more challenging to identify the package's harmful nature with the naked eye, as it initially appears to be a legitimate dependency,” the researchers explained. Another strategy involved stealing popular GitHub accounts. An account named “editor-syntax” got their account compromised, most likely via session cookie theft. By obtaining session cookies, the attackers managed to bypass any and all authentication methods and logged directly into the person’s account. Editor-syntax is a major contributor, maintaining the Top.gg GitHub organization whose community counts more than 170,000 members. The threat actors used the access to commit malware to the Top.gg Python library. The goal of the campaign was to steal sensitive data from the victims. Checkmarx’s researchers said the malware stole browser data (cookies, autofill information, browsing history, bookmarks, credit cards, and login credentials, from the biggest browsers such as Opera, Chrome, Brave, Vivaldi, Yandex, and Edge), Discord data (including Discord tokens, which can be used to access accounts), cryptocurrency wallet data, Telegram chat sessions, computer files, and Instagram data. Further analysis also discovered that the infostealer was able to work as a keylogger, as well. More from TechRadar Pro This well-known infostealer is back with upgraded malwareHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

Hackers are, once again, impersonating major tech brands to trick people into downloading malware to their computers, experts have warned. Cybersecurity researchers from the Zscaler ThreatLabz recently discovered a new campaign, in which unidentified threat actors created countless websites whose URL is almost identical to actual websites belonging to the likes Google, Skype, and Zoom. This method is also known as “typosquatting”, and relies on the fact that many people won’t spot a “typo” in the URL, and will believe they are on the legitimate site instead of a malicious one. Sites in Russian The websites pretend to host video conferencing software, such as Google Meet and the likes. The software offers download links for Windows, Android, and iOS. However, while the iOS link doesn’t do anything malicious (it redirects the users to the actual product), the Android and Windows deliver malware. For Android, it’s nothing more than an APK, but for Windows, it initiates the download of a batch script. That batch executes a PowerShell script, which downloads and runs one of a few remote access trojans (RAT) spotted in the campaign - Spynote RAT (Android), NjRAT, or DCRat (Windows). The campaign has been active since December 2023, with the researchers adding that the spoofed sites are Russian, indicating that the threat actors are either Russian themselves, or simply targeting Russian consumers. "The threat actor is distributing Remote Access Trojans (RATs) including SpyNote RAT for Android platforms, and NjRAT and DCRat for Windows systems," they added. The RATs can be used for a wide array of malicious activities, from stealing sensitive information from the devices, to logging keystrokes, and exfiltrating files. The methods of promoting these websites is unknown, but it is safe to assume that there is a phishing campaign active somewhere on the internet, and that the sites are being actively promoted on social media and various online forums. Via TheHackerNews More from TechRadar Pro This nasty trojan uses Discord as a command and control serverHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

Hackers are exploiting misconfigured servers running Docker, Confluence, and other services in order to drop cryptocurrency miners. Researchers at Cado Security Labs recently observed one such malware campaign, noting how threat actors are using multiple “unique and unreported payloads”, including four Golang binaries, to automatically discover Apache Hadoop YARN, Docker, Confluence, and Redis hosts, vulnerable to CVE-2022-26134, an unauthenticated and remote OGNL injection vulnerability that allows for remote code execution. This flaw was first discovered two years ago, when threat actors targeted Confluence servers (typically the confluence user on Linux installations). At the time, the researchers said internet-facing Confluence servers were at “very high risk”, and urged IT teams to apply the patch immediately. It seem that even now, two years later, not all users installed the available fixes. Unidentified threat The tools are also designed to exploit the flaw and drop a cryptocurrency miner, spawn a reverse shell, and enable persistent access to the compromised hosts. Cryptocurrency miners are popular among cybercriminals, as they take advantage of the high compute power of a server to generate almost untraceable profits. One of the most popular crypto-miners out there is called XMRig, a small program mining the Monero currency. On the victim’s side, however, not only are their servers unusable, but the miners would rack up their electricity bill fairly quickly. For now, Cado is unable to attribute the campaign to any specific threat actor, saying it would need the help of law enforcement for that: “As always, it’s worth stressing that without the capabilities of governments or law enforcement agencies, attribution is nearly impossible – particularly where shell script payloads are concerned,” it said. Still, it added that the shell script payloads are similar to ones seen in attacks done by TeamTNT, and WatchDog. More from TechRadar Pro This new Linux malware floods machines with cryptominers and DDoS botsHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

Threat actors have been targeting telecom operators across the world in a stealthy, sophisticated espionage campaign, new research has found. A report from BleepingComputer cites the findings of a security researcher with the alias HaxRob who found two versions of a previously unknown backdoor, uploaded to VirusTotal in late 2023. The backdoor is called GTPDOOR, and apparently, it targets a “very old Red Hat Linux version, indicating an outdated target.” The backdoor was said to be targeting SGSN, GGSN, and P-GW, systems which are adjacent to the GPRS roaming eXchange (GRX) service. These services can grant the attackers direct access to a telecom’s core network which, in turn, would allow them to gather sensitive, private information. With the help of GTPDOOR, the attackers could set a new encryption key for C2 communications, write arbitrary data to a local file named “system.conf”, execute arbitrary shell commands and return the output back to the C2, specify which IP addresses can communicate with the compromised host, pull the ACL list, and finally, reset the malware. LightBasin returns The backdoors were “largely undetected” by antivirus engines, BleepingComputer notes. The researcher attributed the backdoor to LightBasin, allegedly a Chinese threat actor, also known as UNC1945. It was first spotted by cybersecurity researchers Mandiant, back in 2016 and has, since then, been observed targeting the telecommunications sector at a global scale. The group has in-depth knowledge of telecommunications network architecture, and protocols, it was said, and emulated some of them to steal “highly specific information” from mobile communication infrastructure (for example, subscriber information and call metadata). A report from late 2021, researchers from CrowdStrike said LightBasin managed to attack 13 global telecoms in two years. To defend against such attacks, the researchers agree, businesses should watch out for unusual raw socket activities, unexpected process names, and malware indicators such as duplicate syslog processes. More from TechRadar Pro Massive leak reveals extent of China’s foreign hacking activitiesHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

Hackers are exploiting a zero-day vulnerability in Windows Defender SmartScreen to infect crypto traders with malware. Researchers from Trend Micro revealed a threat actor going by Water Hydra (AKA DarkCasino) abused the zero-day, now tracked as CVE-2024-21412, in attacks conducted on New Year’s Eve 2023. Microsoft has since released a patch, and in a follow-up advisory, explained that an unauthenticated attacker “could send the targeted user a specially crafted file that is designed to bypass displayed security checks." Spearphishing on Telegram Microsoft further explained that the attack still relies on victim action: "However, the attacker would have no way to force a user to view the attacker-controlled content. Instead, the attacker would have to convince them to take action by clicking on the file link." Trend Micro claims Water Hydra was joining Telegram channels and forums for forex, stock, and crypto traders, and used spearphishing techniques to get people to install the DarkMe malware. The group shared a stock chart that linked to fxbulls[.]ru, a compromised Russian trading information site that, in fact, impersonates fxbulls[.]com, a forex broker platform. DarkMe, while dangerous on its own, was just a step towards the final goal, which was to deploy ransomware, the researchers claim. "In late December 2023, we began tracking a campaign by the Water Hydra group that contained similar tools, tactics, and procedures (TTPs) that involved abusing internet shortcuts (.URL) and Web-based Distributed Authoring and Versioning (WebDAV) components," Trend Micro explained. "We concluded that calling a shortcut within another shortcut was sufficient to evade SmartScreen, which failed to properly apply Mark-of-the-Web (MotW), a critical Windows component that alerts users when opening or running files from an untrusted source." The crypto industry has always been a popular target for cybercriminals. However, with bitcoin exchange-traded funds (ETF) finally approved, and the Bitcoin halving just two months away, the crypto industry is poised for yet another eye-watering bull run. This, as was the case in the past, will also attract more criminals. Via BleepingComputer More from TechRadar Pro This nasty Windows 10 zero-day vulnerability finally has an unofficial fixHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

There are constant levels of high attacks and port scans on Linux servers all the time, while a properly configured firewall and regular security system ... The post 5 Tools to Scan a Linux Server for Malware and Rootkits first appeared on Tecmint: Linux Howtos, Tutorials & Guides. View the full article

Amazon GuardDuty Malware Protection adds a new capability that allows customers to initiate on-demand malware scans of Amazon Elastic Compute Cloud (Amazon EC2) instances, including instances used to host container workloads. Scans can be initiated using the GuardDuty console, or programmatically via the API, without the need to deploy security software and are designed to have no performance impact to running workloads. When potential malware is identified, GuardDuty generates actionable security findings with information such as the threat and file name, the file path, the Amazon EC2 instance ID, resource tags and, in the case of containers, the container ID and the container image used. This capability builds on the existing Malware Protection capability of GuardDuty-initiated scans that when enabled, automatically initiates a malware scan when GuardDuty detects suspicious behavior indicative of malware on the instance. View the full article

Amazon GuardDuty Malware Protection is now available, in Amazon GuardDuty, to help detect malicious files residing on an instance or container workload running on Amazon Elastic Compute Cloud (Amazon EC2) without deploying security software or agents. Amazon GuardDuty Malware Protection adds file scanning for workloads utilizing Amazon Elastic Block Store (EBS) volumes to detect malware that can be used to compromise resources, modify access permissions, and exfiltrate data. Malicious files that contain trojans, worms, crypto miners, rootkits, bots, and the like can be used to compromise workloads, repurpose resources for malicious use, and gain unauthorized access to data. Existing customers can enable the GuardDuty Malware Protection feature with a single click in the GuardDuty console or through the GuardDuty API. When threats are detected, GuardDuty Malware Protection automatically sends security findings to AWS Security Hub, Amazon EventBridge, and Amazon Detective. These integrations help centralize monitoring for AWS and partner services, automate responses to malware findings, and perform security investigations from the GuardDuty console. With the launch of Amazon GuardDuty Malware Protection there are eight new threat detections: Execution:EC2/MaliciousFile Execution:ECS/MaliciousFile Execution:Kubernetes/MaliciousFile Execution:Container/MaliciousFile Execution:EC2/SuspiciousFile Execution:ECS/SuspiciousFile Execution:Kubernetes/SuspiciousFile Execution:Container/SuspiciousFile View the full article

AWS Security Hub now automatically receives Amazon GuardDuty Malware Protection findings. Amazon GuardDuty Malware Protection delivers agentless detection of malware on your Amazon Elastic Cloud Compute (EC2) instance and container workloads. This integration between Security Hub and GuardDuty expands the centralization and single pane of glass experience in Security Hub by consolidating your malware findings alongside your other security findings, allowing you to more easily search, triage, investigate, and take action on your security findings. GuardDuty Malware Protection findings within Security Hub also contain an investigation link that allows you to quickly dive deeper to investigate the finding in Amazon Detective. View the full article

With Amazon GuardDuty, you can monitor your AWS accounts and workloads to detect malicious activity. Today, we are adding to GuardDuty the capability to detect malware. Malware is malicious software that is used to compromise workloads, repurpose resources, or gain unauthorized access to data. When you have GuardDuty Malware Protection enabled, a malware scan is initiated when GuardDuty detects that one of your EC2 instances or container workloads running on EC2 is doing something suspicious. For example, a malware scan is triggered when an EC2 instance is communicating with a command-and-control server that is known to be malicious or is performing denial of service (DoS) or brute-force attacks against other EC2 instances. GuardDuty supports many file system types and scans file formats known to be used to spread or contain malware, including Windows and Linux executables, PDF files, archives, binaries, scripts, installers, email databases, and plain emails. When potential malware is identified, actionable security findings are generated with information such as the threat and file name, the file path, the EC2 instance ID, resource tags and, in the case of containers, the container ID and the container image used. GuardDuty supports container workloads running on EC2, including customer-managed Kubernetes clusters or individual Docker containers. If the container is managed by Amazon Elastic Kubernetes Service (EKS) or Amazon Elastic Container Service (Amazon ECS), the findings also include the cluster name and the task or pod ID so application and security teams can quickly find the affected container resources. As with all other GuardDuty findings, malware detections are sent to the GuardDuty console, pushed through Amazon EventBridge, routed to AWS Security Hub, and made available in Amazon Detective for incident investigation. How GuardDuty Malware Protection Works When you enable malware protection, you set up an AWS Identity and Access Management (IAM) service-linked role that grants GuardDuty permissions to perform malware scans. When a malware scan is initiated for an EC2 instance, GuardDuty Malware Protection uses those permissions to take a snapshot of the attached Amazon Elastic Block Store (EBS) volumes that are less than 1 TB in size and then restore the EBS volumes in an AWS service account in the same AWS Region to scan them for malware. You can use tagging to include or exclude EC2 instances from those permissions and from scanning. In this way, you don’t need to deploy security software or agents to monitor for malware, and scanning the volumes doesn’t impact running workloads. The EBS volumes in the service account and the snapshots in your account are deleted after the scan. Optionally, you can preserve the snapshots when malware is detected. The service-linked role grants GuardDuty access to AWS Key Management Service (AWS KMS) keys used to encrypt EBS volumes. If the EBS volumes attached to a potentially compromised EC2 instance are encrypted with a customer-managed key, GuardDuty Malware Protection uses the same key to encrypt the replica EBS volumes as well. If the volumes are not encrypted, GuardDuty uses its own key to encrypt the replica EBS volumes and ensure privacy. Volumes encrypted with EBS-managed keys are not supported. Security in cloud is a shared responsibility between you and AWS. As a guardrail, the service-linked role used by GuardDuty Malware Protection cannot perform any operation on your resources (such as EBS snapshots and volumes, EC2 instances, and KMS keys) if it has the GuardDutyExcluded tag. Once you mark your snapshots with GuardDutyExcluded set to true, the GuardDuty service won’t be able to access these snapshots. The GuardDutyExcluded tag supersedes any inclusion tag. Permissions also restrict how GuardDuty can modify your snapshot so that they cannot be made public while shared with the GuardDuty service account. The EBS volumes created by GuardDuty are always encrypted. GuardDuty can use KMS keys only on EBS snapshots that have a GuardDuty scan ID tag. The scan ID tag is added by GuardDuty when snapshots are created after an EC2 finding. The KMS keys that are shared with GuardDuty service account cannot be invoked from any other context except the Amazon EBS service. Once the scan completes successfully, the KMS key grant is revoked and the volume replica in GuardDuty service account is deleted, making sure GuardDuty service cannot access your data after completing the scan operation. Enabling Malware Protection for an AWS Account If you’re not using GuardDuty yet, Malware Protection is enabled by default when you activate GuardDuty for your account. Because I am already using GuardDuty, I need to enable Malware Protection from the console. If you’re using AWS Organizations, your delegated administrator accounts can enable this for existing member accounts and configure if new AWS accounts in the organization should be automatically enrolled. In the GuardDuty console, I choose Malware Protection under Settings in the navigation pane. There, I choose Enable and then Enable Malware Protection. Snapshots are automatically deleted after they are scanned. In General settings, I have the option to retain in my AWS account the snapshots where malware is detected and have them available for further analysis. In Scan options, I can configure a list of inclusion tags, so that only EC2 instances with those tags are scanned, or exclusion tags, so that EC2 instances with tags in the list are skipped. Testing Malware Protection GuardDuty Findings To generate several Amazon GuardDuty findings, including the new Malware Protection findings, I clone the Amazon GuardDuty Tester repo: $ git clone https://github.com/awslabs/amazon-guardduty-tester First, I create an AWS CloudFormation stack using the guardduty-tester.template file. When the stack is ready, I follow the instructions to configure my SSH client to log in to the tester instance through the bastion host. Then, I connect to the tester instance: $ ssh tester From the tester instance, I start the guardduty_tester.sh script to generate the findings: $ ./guardduty_tester.sh *********************************************************************** * Test #1 - Internal port scanning * * This simulates internal reconaissance by an internal actor or an * * external actor after an initial compromise. This is considered a * * low priority finding for GuardDuty because its not a clear indicator* * of malicious intent on its own. * *********************************************************************** Starting Nmap 6.40 ( http://nmap.org ) at 2022-05-19 09:36 UTC Nmap scan report for ip-172-16-0-20.us-west-2.compute.internal (172.16.0.20) Host is up (0.00032s latency). Not shown: 997 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp closed http 5050/tcp closed mmcc MAC Address: 06:25:CB:F4:E0:51 (Unknown) Nmap done: 1 IP address (1 host up) scanned in 4.96 seconds ----------------------------------------------------------------------- *********************************************************************** * Test #2 - SSH Brute Force with Compromised Keys * * This simulates an SSH brute force attack on an SSH port that we * * can access from this instance. It uses (phony) compromised keys in * * many subsequent attempts to see if one works. This is a common * * techique where the bad actors will harvest keys from the web in * * places like source code repositories where people accidentally leave* * keys and credentials (This attempt will not actually succeed in * * obtaining access to the target linux instance in this subnet) * *********************************************************************** 2022-05-19 09:36:29 START 2022-05-19 09:36:29 Crowbar v0.4.3-dev 2022-05-19 09:36:29 Trying 172.16.0.20:22 2022-05-19 09:36:33 STOP 2022-05-19 09:36:33 No results found... 2022-05-19 09:36:33 START 2022-05-19 09:36:33 Crowbar v0.4.3-dev 2022-05-19 09:36:33 Trying 172.16.0.20:22 2022-05-19 09:36:37 STOP 2022-05-19 09:36:37 No results found... 2022-05-19 09:36:37 START 2022-05-19 09:36:37 Crowbar v0.4.3-dev 2022-05-19 09:36:37 Trying 172.16.0.20:22 2022-05-19 09:36:41 STOP 2022-05-19 09:36:41 No results found... 2022-05-19 09:36:41 START 2022-05-19 09:36:41 Crowbar v0.4.3-dev 2022-05-19 09:36:41 Trying 172.16.0.20:22 2022-05-19 09:36:45 STOP 2022-05-19 09:36:45 No results found... 2022-05-19 09:36:45 START 2022-05-19 09:36:45 Crowbar v0.4.3-dev 2022-05-19 09:36:45 Trying 172.16.0.20:22 2022-05-19 09:36:48 STOP 2022-05-19 09:36:48 No results found... 2022-05-19 09:36:49 START 2022-05-19 09:36:49 Crowbar v0.4.3-dev 2022-05-19 09:36:49 Trying 172.16.0.20:22 2022-05-19 09:36:52 STOP 2022-05-19 09:36:52 No results found... 2022-05-19 09:36:52 START 2022-05-19 09:36:52 Crowbar v0.4.3-dev 2022-05-19 09:36:52 Trying 172.16.0.20:22 2022-05-19 09:36:56 STOP 2022-05-19 09:36:56 No results found... 2022-05-19 09:36:56 START 2022-05-19 09:36:56 Crowbar v0.4.3-dev 2022-05-19 09:36:56 Trying 172.16.0.20:22 2022-05-19 09:37:00 STOP 2022-05-19 09:37:00 No results found... 2022-05-19 09:37:00 START 2022-05-19 09:37:00 Crowbar v0.4.3-dev 2022-05-19 09:37:00 Trying 172.16.0.20:22 2022-05-19 09:37:04 STOP 2022-05-19 09:37:04 No results found... 2022-05-19 09:37:04 START 2022-05-19 09:37:04 Crowbar v0.4.3-dev 2022-05-19 09:37:04 Trying 172.16.0.20:22 2022-05-19 09:37:08 STOP 2022-05-19 09:37:08 No results found... 2022-05-19 09:37:08 START 2022-05-19 09:37:08 Crowbar v0.4.3-dev 2022-05-19 09:37:08 Trying 172.16.0.20:22 2022-05-19 09:37:12 STOP 2022-05-19 09:37:12 No results found... 2022-05-19 09:37:12 START 2022-05-19 09:37:12 Crowbar v0.4.3-dev 2022-05-19 09:37:12 Trying 172.16.0.20:22 2022-05-19 09:37:16 STOP 2022-05-19 09:37:16 No results found... 2022-05-19 09:37:16 START 2022-05-19 09:37:16 Crowbar v0.4.3-dev 2022-05-19 09:37:16 Trying 172.16.0.20:22 2022-05-19 09:37:20 STOP 2022-05-19 09:37:20 No results found... 2022-05-19 09:37:20 START 2022-05-19 09:37:20 Crowbar v0.4.3-dev 2022-05-19 09:37:20 Trying 172.16.0.20:22 2022-05-19 09:37:23 STOP 2022-05-19 09:37:23 No results found... 2022-05-19 09:37:23 START 2022-05-19 09:37:23 Crowbar v0.4.3-dev 2022-05-19 09:37:23 Trying 172.16.0.20:22 2022-05-19 09:37:27 STOP 2022-05-19 09:37:27 No results found... 2022-05-19 09:37:27 START 2022-05-19 09:37:27 Crowbar v0.4.3-dev 2022-05-19 09:37:27 Trying 172.16.0.20:22 2022-05-19 09:37:31 STOP 2022-05-19 09:37:31 No results found... 2022-05-19 09:37:31 START 2022-05-19 09:37:31 Crowbar v0.4.3-dev 2022-05-19 09:37:31 Trying 172.16.0.20:22 2022-05-19 09:37:34 STOP 2022-05-19 09:37:34 No results found... 2022-05-19 09:37:35 START 2022-05-19 09:37:35 Crowbar v0.4.3-dev 2022-05-19 09:37:35 Trying 172.16.0.20:22 2022-05-19 09:37:38 STOP 2022-05-19 09:37:38 No results found... 2022-05-19 09:37:38 START 2022-05-19 09:37:38 Crowbar v0.4.3-dev 2022-05-19 09:37:38 Trying 172.16.0.20:22 2022-05-19 09:37:42 STOP 2022-05-19 09:37:42 No results found... 2022-05-19 09:37:42 START 2022-05-19 09:37:42 Crowbar v0.4.3-dev 2022-05-19 09:37:42 Trying 172.16.0.20:22 2022-05-19 09:37:46 STOP 2022-05-19 09:37:46 No results found... ----------------------------------------------------------------------- *********************************************************************** * Test #3 - RDP Brute Force with Password List * * This simulates an RDP brute force attack on the internal RDP port * * of the windows server that we installed in the environment. It uses* * a list of common passwords that can be found on the web. This test * * will trigger a detection, but will fail to get into the target * * windows instance. * *********************************************************************** Sending 250 password attempts at the windows server... Hydra v9.4-dev (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-05-19 09:37:46 [WARNING] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recover [INFO] Reduced number of tasks to 4 (rdp does not like many parallel connections) [WARNING] the rdp module is experimental. Please test, report - and if possible, fix. [DATA] max 4 tasks per 1 server, overall 4 tasks, 1792 login tries (l:7/p:256), ~448 tries per task [DATA] attacking rdp://172.16.0.24:3389/ [STATUS] 1099.00 tries/min, 1099 tries in 00:01h, 693 to do in 00:01h, 4 active 1 of 1 target completed, 0 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-05-19 09:39:23 ----------------------------------------------------------------------- *********************************************************************** * Test #4 - CryptoCurrency Mining Activity * * This simulates interaction with a cryptocurrency mining pool which * * can be an indication of an instance compromise. In this case, we are* * only interacting with the URL of the pool, but not downloading * * any files. This will trigger a threat intel based detection. * *********************************************************************** Calling bitcoin wallets to download mining toolkits ----------------------------------------------------------------------- *********************************************************************** * Test #5 - DNS Exfiltration * * A common exfiltration technique is to tunnel data out over DNS * * to a fake domain. Its an effective technique because most hosts * * have outbound DNS ports open. This test wont exfiltrate any data, * * but it will generate enough unusual DNS activity to trigger the * * detection. * *********************************************************************** Calling large numbers of large domains to simulate tunneling via DNS *********************************************************************** * Test #6 - Fake domain to prove that GuardDuty is working * * This is a permanent fake domain that customers can use to prove that* * GuardDuty is working. Calling this domain will always generate the * * Backdoor:EC2/C&CActivity.B!DNS finding type * *********************************************************************** Calling a well known fake domain that is used to generate a known finding ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.amzn2.5.2 <<>> GuardDutyC2ActivityB.com any ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11495 ;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;GuardDutyC2ActivityB.com. IN ANY ;; ANSWER SECTION: GuardDutyC2ActivityB.com. 6943 IN SOA ns1.markmonitor.com. hostmaster.markmonitor.com. 2018091906 86400 3600 2592000 172800 GuardDutyC2ActivityB.com. 6943 IN NS ns3.markmonitor.com. GuardDutyC2ActivityB.com. 6943 IN NS ns5.markmonitor.com. GuardDutyC2ActivityB.com. 6943 IN NS ns7.markmonitor.com. GuardDutyC2ActivityB.com. 6943 IN NS ns2.markmonitor.com. GuardDutyC2ActivityB.com. 6943 IN NS ns4.markmonitor.com. GuardDutyC2ActivityB.com. 6943 IN NS ns6.markmonitor.com. GuardDutyC2ActivityB.com. 6943 IN NS ns1.markmonitor.com. ;; Query time: 27 msec ;; SERVER: 172.16.0.2#53(172.16.0.2) ;; WHEN: Thu May 19 09:39:23 UTC 2022 ;; MSG SIZE rcvd: 238 ***************************************************************************************************** Expected GuardDuty Findings Test 1: Internal Port Scanning Expected Finding: EC2 Instance i-011e73af27562827b is performing outbound port scans against remote host. 172.16.0.20 Finding Type: Recon:EC2/Portscan Test 2: SSH Brute Force with Compromised Keys Expecting two findings - one for the outbound and one for the inbound detection Outbound: i-011e73af27562827b is performing SSH brute force attacks against 172.16.0.20 Inbound: 172.16.0.25 is performing SSH brute force attacks against i-0bada13e0aa12d383 Finding Type: UnauthorizedAccess:EC2/SSHBruteForce Test 3: RDP Brute Force with Password List Expecting two findings - one for the outbound and one for the inbound detection Outbound: i-011e73af27562827b is performing RDP brute force attacks against 172.16.0.24 Inbound: 172.16.0.25 is performing RDP brute force attacks against i-0191573dec3b66924 Finding Type : UnauthorizedAccess:EC2/RDPBruteForce Test 4: Cryptocurrency Activity Expected Finding: EC2 Instance i-011e73af27562827b is querying a domain name that is associated with bitcoin activity Finding Type : CryptoCurrency:EC2/BitcoinTool.B!DNS Test 5: DNS Exfiltration Expected Finding: EC2 instance i-011e73af27562827b is attempting to query domain names that resemble exfiltrated data Finding Type : Trojan:EC2/DNSDataExfiltration Test 6: C&C Activity Expected Finding: EC2 instance i-011e73af27562827b is querying a domain name associated with a known Command & Control server. Finding Type : Backdoor:EC2/C&CActivity.B!DNS After a few minutes, the findings appear in the GuardDuty console. At the top, I see the malicious files found by the new Malware Protection capability. One of the findings is related to an EC2 instance, the other to an ECS cluster. First, I select the finding related to the EC2 instance. In the panel, I see the information on the instance and the malicious file, such as the file name and path. In the Malware scan details section, the Trigger finding ID points to the original GuardDuty finding that triggered the malware scan. In my case, the original finding was that this EC2 instance was performing RDP brute force attacks against another EC2 instance. Here, I choose Investigate with Detective and, directly from the GuardDuty console, I go to the Detective console to visualize AWS CloudTrail and Amazon Virtual Private Cloud (Amazon VPC) flow data for the EC2 instance, the AWS account, and the IP address affected by the finding. Using Detective, I can analyze, investigate, and identify the root cause of suspicious activities found by GuardDuty. When I select the finding related to the ECS cluster, I have more information on the resource affected, such as the details of the ECS cluster, the task, the containers, and the container images. Using the GuardDuty tester scripts makes it easier to test the overall integration of GuardDuty with other security frameworks you use so that you can be ready when a real threat is detected. Comparing GuardDuty Malware Protection with Amazon Inspector At this point, you might ask yourself how GuardDuty Malware Protection relates to Amazon Inspector, a service that scans AWS workloads for software vulnerabilities and unintended network exposure. The two services complement each other and offer different layers of protection: Amazon Inspector offers proactive protection by identifying and remediating known software and application vulnerabilities that serve as an entry point for attackers to compromise resources and install malware. GuardDuty Malware Protection detects malware that is found to be present on actively running workloads. At that point, the system has already been compromised, but GuardDuty can limit the time of an infection and take action before a system compromise results in a business-impacting event. Availability and Pricing Amazon GuardDuty Malware Protection is available today in all AWS Regions where GuardDuty is available, excluding the AWS China (Beijing), AWS China (Ningxia), AWS GovCloud (US-East), and AWS GovCloud (US-West) Regions. At launch, GuardDuty Malware Protection is integrated with these partner offerings: BitDefender CloudHesive Crowdstrike Fortinet Palo Alto Networks Rapid7 Sophos Sysdig Trellix With GuardDuty, you don’t need to deploy security software or agents to monitor for malware. You only pay for the amount of GB scanned in the file systems (not for the size of the EBS volumes) and for the EBS snapshots during the time they are kept in your account. All EBS snapshots created by GuardDuty are automatically deleted after they are scanned unless you enable snapshot retention when malware is found. For more information, see GuardDuty pricing and EBS pricing. Note that GuardDuty only scans EBS volumes less than 1 TB in size. To help you control costs and avoid repeating alarms, the same volume is not scanned more often than once every 24 hours. Detect malicious activity and protect your applications from malware with Amazon GuardDuty. — Danilo View the full article

Operating System forensics is the art of exploring digital evidence left by apps, systems, and user activity to answer a specific question. Law enforcement agencies often use it concerning digital crime. While Windows forensics is widely covered and well researched, there’s very little information about Linux forensics. This article reviews the top five best Linux forensics books. Whether you want to investigate a Linux system (for whatever reason!) or get a grip over how Linux works under the covers, these books will keep you updated. We selected these books based on ratings, recommendations, and positive public sentiment. Let’s get to the books! 1. Practical Forensic Imaging: Securing Digital Evidence with Linux Tools (1st Edition) by Bruce Nikkel Forensic image acquisition is an essential part of evidence collection, analyzing, and post-mortem incident response. Digital forensic experts acquire, preserve, and manage data evidence to support criminal and civil cases; resolve disputes; examine company policy violations, and analyze different types of cyberattacks. Practical Forensic Imaging takes a comprehensive look at securing and managing digital evidence using Linux-based tools. This essential reference book walks you through the entire digital forensic acquisition process. It covers a range of practical scenarios related to the imaging of storage media. This book elucidates how to perform forensic imaging of magnetic HDDs, optical discs, SSDs & flash drives, magnetic tapes, and other legacy technologies. It deals with how to protect the attached evidence media from unintentional modification. It further teaches you the management of large forensic image files, image format conversion, image compression, storage capacity, image splitting, duplication, secure transfers, and storage, & secure disposal. Preserve, collect, and verify evidence integrity with cryptographic, piecewise hashing, public key signatures, and RFC-3161 timestamping. Moreover, it explains working with the latest drive and interface technologies such as NVME, SATA Express, 4K-native sector drives, SAS, SSHDs, UASP/USB3x, and Thunderbolt, etc. With its focus on digital forensic acquisition and evidence preservation, this book is a valuable resource for experienced digital forensic investigators wanting to further enhance their Linux forensics skills. We call it a must-have reference guide for every digital forensics lab. However, you should be comfortable with the command line Linux. Otherwise, it will fly over your head. Buy Here: Amazon About the Author: Bruce Nikkel is a Ph.D. in network forensics and works as the head of the Cybercrime Intelligence & Forensic Investigation team at a Switzerland-based global financial institution. Here he has managed IT forensics since 2015. Also, he has published research on various topics related to Linux forensics. 2. Digital Forensics With Kali Linux (Second Edition) by Shiva V.N. Parasram Kali is a Debian-based distro used mainly for pen-testing and digital forensics. It offers a range of tools to help in incident response and forensics investigations. This is the second edition of the book published in 2020 and covers the most updated information you can find. It starts by introducing the fundamentals of digital forensics and setting up the Kali environment to perform different (best) investigation practices. The book delves into the OS, file systems, and the various formats for file storage, including secret hiding places unseen by the end-user or even the operating system. The book teaches how to create forensic data images and maintain integrity using different hashing tools. For instance, it explains the use of tools like DC3DD and Guymager for data acquisition and data preservation techniques. Next, you also get to master advanced topics such as autopsies and acquiring investigation data from the network, operating system memory, and so on. Some worth mentioning tools explained in the book are Foremost and Scalpel to recover deleted data; using Volatility to get the evidence of malicious programs; using Xplico to perform network and internet capture analyses. The book also introduces you to powerful tools like (the DFF and Autopsy automated Forensic suites) that will take your forensic capabilities up a notch to the professional level. By the end of this fantastic book, you will have had hands-on experience implementing all the pillars of digital forensics—acquisition, extraction, analyses, and presentation using Kali Linux tools. This book is targeted at security analysts, forensics and digital investigators, or other stakeholders interested in learning digital forensics using Kali Linux. Basic knowledge of Kali will be an added advantage, but it’s not necessary. Buy Here: Amazon About the Author: Shiva V. N. Parasram is the Executive Director and CISO of the Computer Forensics and Security Institute, specializing in forensics, penetration testing, and advanced cybersecurity training. As the only Certified EC-Council Instructor in the Caribbean region, he has trained hundreds in CCNA, CND, CEH, ECSA, CHFI, and CCISO, among other certifications. He has authored two books and delivered countless lectures worldwide. 3. Linux Forensics by Philip Polstra Perhaps the most widely known Linux Forensic books on this list are Linux Forensics by Philip Polstra. It is a great introductory book to start with the Linux DFIR. Linux Forensics is a step by step guide through the process of investigating a PC running on Linux OS. From the moment you get a message from someone who thinks they have been attacked until the final report is compiled, everything is covered in this book. It begins by showing you how to determine whether there was an incident with minimal invasive techniques. Once an incident has been confirmed, the author shows you how to gather data from a live system before shutting it down completely for the creation of filesystem images. What’s more, all of the tools mentioned in this book are free and open source. The author further shows how to leverage Python, shell scripting, and MySQL to efficiently analyze a Linux system. While you will have a strong understanding of Python and shell scripting by the time you complete this book, no prior knowledge of these languages is assumed. Balancing masterfully between theory and practice, Linux Forensics contains extensive coverage of Linux ext2, ext3, and ext4. A great collection of Python and shell scripts for creating, mounting, and analyzing different filesystem images are also presented in this book. Discussions of advanced attacks and malware analysis round out the book in the final chapters. Unfortunately, we found that some of the forensic image links provided in the book are broken, and there have been no corrections so far. But even then, Linux Forensics is an excellent asset for anyone wanting to better understand the Linux Internals and start their journey towards mastering Linux forensics. Buy Here: Amazon About the Author Dr. Philip Polstra (aka Infosec Dr. Phil) is a Digital Forensics professor at the Bloomsburg University of Pennsylvania. He has written extensively in the field of Hacking, Penetration Testing, Digital Forensics (Both Linux and Windows. He has appeared at DEFCON, 44CON, BlackHat, B-sides, GrrCON, and spoken at top conferences worldwide, usually on forensics and hardware hacking. 4. Malware Forensics Field Guide for Linux Systems by Cameron H. Malin, Eoghan Casey, and James M. Aquilina This is a handy reference book that shows the essential tools for computer forensics analysis at a crime scene. It is also a part of Syngress Digital Forensics Field Guides, a series of companions for digital and computer forensics students, investigators, or analysts. Each Guide is a separate toolkit, with checklists for tasks, case studies of challenging situations, and expert analyst instructions that help recover data from digital media to be used in criminal prosecution. This book shows how to collect data from different electronic data storage and transfer devices, including desktops, laptops, PDAs and the images, spreadsheets, and file types are stored on these devices. Chapters cover Malware incident response – examination on live system and volatile data collection; analyses of physical and process memory dumps for identifying malware artifacts; post-mortem forensics – extracting Malware and linked artifacts from Linux-based systems; different legal considerations (relevant only to US courts); file identification and profiling initial analysis of a suspected file; and analysis of a suspect host. This book is short, raw, sweet, and to the point. It will appeal to beginner and mid-level computer forensic investigators and digital analysts. Buy Here: Amazon About the Authors The authors are digital forensics professionals and experts in investigating and evaluating malicious code. They have written multiple books together and in an individual capacity. Mr. James M. Aquilina is currently an Advisor to the Board of Directors at The Crypsis Group and a former federal prosecutor. Mr. Cameron H. Malin assists the FBI in cases of computer intrusion and malware code matters. Eoghan Casey is associated with the University of Lausanne, Switzerland, and has written extensively on topics such as data breaches, digital frauds, crimes, and identity theft. 5. The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory by Michael Hale Ligh, Jamie Levy and Aaron Walters And of course, no digital forensics book list will be complete without “The Art of Memory Forensics.” This is a follow-up to “Malware Analyst’s Cookbook”. It brings you a step-by-step guide to memory forensics–now the most in-demand skill in digital forensics, data acquisition, and incident response fields. The book begins with introductory concepts and moves towards more advanced topics. It’s based on a five-day training course that the authors have crafted for students. The book focuses exclusively on memory forensics and how to deploy its various techniques. For example, how volatile memory analyses improve digital investigations, investigative steps to detect stealth malware and advanced threats, how to use open-source tools for conducting thorough memory forensics, and different ways to acquire memory from suspect systems in a sound manner. Today malware and security breaches are more sophisticated, and the volatile memory is often overlooked and neglected as part of the incident response process. The Art of Memory Forensics explains technological innovations in digital forensics to help bridge this gap. It covers the most popular versions of Windows, Linux, and Mac. Although it was released back in 2014 and some of the content mentioned here feels dated, The Art of Memory is an absolute memory forensics bible. It is essential for anyone performing memory analyses. PS: this book is dense, and prior knowledge of computer OS internals comes in handy. Buy Here: Amazon About the Authors: Experts in the fields of Malware, security, and digital forensics, the writers work with various educational and professional institutes around the globe. They have authored several books, peer-reviewed conference publications (at OMFW, CEIC, IEEE, etc.), and research papers on digital forensics. They are also avid contributors to the open-source Computer Forensics community. Final Thoughts Digital Forensics is a vast field and there are numerous good books available in the market. This article attempted to review only the best Linux forensics books. Some books mentioned above are intended for beginners, while others focus more on advanced concepts. Choose one according to your educational background and expertise level. And don’t forget to let us know what you think in the comments below. Thank you for reading! View the full article