Search the Community

Recently, there’s been a lot of talk about how Apple is going to infuse its products with artificial intelligence (AI) at its Worldwide Developers Conference (WWDC) in June. But there’s another way the company might be putting AI to good use – and it could help keep your Mac safe from malware and other digital nasties. As spotted by macOS developer and blogger Howard Oakley, Apple has just updated its XProtect anti-malware system with 74 new rules aimed specifically at the Adload adware virus, which hijacks your browser and forces you to visit malicious sites. XProtect is a built-in macOS feature that detects malicious code in third-party apps and prevents them from running, and an update to its definitions is not particularly unusual. But what is unusual is the sheer size of the XProtect update. As Oakley puts it, “developing that many [definitions] by hand would normally take considerable time and effort.” And that raises an interesting question: is Apple using AI to write its antivirus definitions? Oakley certainly thinks it’s a possibility. In the blog post, he suggests that it could be a potential solution to a problem like Adload, which is frequently updated to evade detection, which in turn necessitates companies like Apple rapidly reacting to it. If Apple is using AI to do the heavy lifting, it might “overwhelm [Adload’s] efforts to evade detection until the malware has been extensively rewritten,” Oakley says. AI vs malware (Image credit: Passwork) There’s been much debate over what the rapid development of generative AI tools like ChatGPT will mean for malware creators and those who are fighting back against them. For some, it might help bad actors more rapidly craft viruses and trojans. For others, it’s an excellent tool for reverse engineering malware and building better defenses against it. Last year, I spoke to a range of cybersecurity experts on this topic. Joshua Long, Chief Security Analyst at antivirus firm Intego, suggested that AI can help to spot zero-day flaws by analyzing code uploaded into its chat window. And Martin Zugec, Technical Solutions Director at Bitdefender, noted: “The majority of novice malware writers are not likely to possess the skills required to bypass [ChatGPT’s] security measures, and therefore the risk posed by chatbot-generated malware remains relatively low at this time.” Whatever the case, it would be surprising if Apple was not at least looking into using AI to help write its antivirus definitions. Malware threats are always evolving, which means defenders need to adapt as quickly as possible to keep them out. With the speed that AI allows, it could become an invaluable tool in the antivirus arsenal. Interestingly, Oakley notes that there are already several AI tools that can write antivirus definitions, but that “but Apple doesn’t appear to have made much use of them in the past, at least not on this unprecedented scale.” Given the Adload example, we might soon see AI playing a much more active role in keeping your Mac safe. You might also like iOS 18 could bring generative AI to your iPhone in the most Apple way possibleWWDC 2024: AI, iOS 18, and everything we're expecting from Apple's big showChatGPT explained – everything you need to know about the AI chatbot View the full article

Cybercriminals pilfered an average of 50.9 login credentials per device, evidence of the pressing need for cybersecurity measures. The post 10 Million Devices Were Infected by Data-Stealing Malware in 2023 appeared first on Security Boulevard. View the full article

Visa is warning its partners, clients, and customers, of an ongoing phishing attack that aims to deliver a banking trojan. The Visa Payment Fraud Disruption (PDF) unit sent out a security alert to card issuers, processors, and acquirers, noting it had observed a new phishing campaign that started in late March this year. The campaign targets mostly financial institutions in South and Southeast Asia, the Middle East, and Africa, and aims to drop a new version of the banking trojan called JsOutProx. "While PFD could not confirm the ultimate goal of the recently identified malware campaign, this eCrime group may have previously targeted financial institutions to conduct fraudulent activity." Impersonating legitimate institutions Unfortunately, we don’t know the name of the threat actor behind the campaign, or the number of companies that fell victim. The researchers speculate, based on the sophistication of the attacks, the profile of the victims, and their geographical location, that the attackers are most likely China-based, or at least China-affiliated. We also know is that JsOutProx is a remote access trojan that was first spotted in late 2019, and is described as a “highly obfuscated” JavaScript backdoor that allows its users to run shell commands, download additional malware, run files, grab screenshots, control various peripherals, and establish persistence on the target endpoint. It’s hosted on a GitLab repository, apparently. In the phishing emails, the attackers are impersonating legitimate institutions, showing victims fake SWIFT and MoneyGram payment notifications. Phishing remains one of the most lucrative ways to deploy malware. It’s cheap and easily scalable, and now with the help of generative artificial intelligence, relatively difficult to spot. IT teams are advised to educate their employees to identify a phishing attack, as well as to install email security software, firewalls, and antivirus tools. Via BleepingComputer More from TechRadar Pro The US government is now investigating the Change Healthcare cyberattackHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

No, your company’s vehicle wasn’t involved in a car crash, and you’re not getting a five-figure fine for it from the government - it’s all an elaborate scheme to get you to install information-stealing malware on your computer, experts have warned. Cybersecurity researchers from the Cofense Intelligence Team recently published a new blog in which they detailed a new phishing campaign that reaches its targets “at an alarming rate”. In this campaign, the attackers are deploying a creative lure, and pairing it with multiple cloak-and-dagger methods to bypass email protection solutions. Furthermore, they are impersonating the Federal Bureau of Transportation to scare the victims into downloading and running the attachment. Open redirects and impersonation In the campaign, the unnamed attackers tell their victims that a company car was involved in an accident. The victims are mostly in the Oil and Gas sector, although Cofense isn’t sure exactly why. They speculate that the attackers could pivot to other industries rather fast, and will probably do that soon. The phishing email comes with an embedded link that abuses open redirects, a vulnerability that allows an attacker to use a legitimate website as a stepping stone towards the malicious one. In this campaign, Google Maps and Google Images are being leveraged. The embedded link then redirects to a URL shortener, which then opens a site that hosts a PDF file. This file is seemingly from the Federal Bureau of Transportation, and mentions a possible fine of $30,000 for the incident. It also comes with a clickable image, which triggers the download of a .ZIP file which hosts the Rhadamanthys Stealer. As soon as the file is run, it establishes a connection to the command and control (C2) server, and grabs the victim’s login credentials, cryptocurrency wallet data, and other sensitive files. As usual, the best way to defend against these attacks is to use common sense and think twice before downloading and running email attachments. More from TechRadar Pro This devious malware will let hackers restore deleted cookies and hijack your Google accountHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

Cybersecurity researchers from Trend Micro have uncovered a brand new piece of malware that uses an unusual method of hiding from antivirus programs. The malware is called UNAPIMON, and is apparently being used by Winnti, an established Chinese state-sponsored threat actor that was behind some of the most devastating attacks against governments, hardware and software vendors, think tanks, and more. According to Trend Micro, many malware variants are using a method known as API hooking to eavesdrop on calls, grab sensitive data, and tweak different software. Therefore, many security tools also use API hooking to track the malware. Simplicity and originality "With UNAPIMON, things are different. It uses Microsoft Detours for hooking the CreateProcessW API function, which allows it to unhook critical API functions in child processes. As a result, it successfully evades antivirus detection. A unique and notable feature of this malware is its simplicity and originality," Trend Micro said in its report. "Its use of existing technologies, such as Microsoft Detours, shows that any simple and off-the-shelf library can be used maliciously if used creatively. This also displayed the coding prowess and creativity of the malware writer." "In typical scenarios, it is the malware that does the hooking. However, it is the opposite in this case." Using Microsoft Detours in this regard has other benefits, too, the researchers explained. As this is a legitimate debugging tool, it even evades behavioral detection. In its writeup, BleepingComputer described Winnti hackers as “known for their novel methods of evading detection when conducting attacks.” Back in 2020, the group was spotted abusing Windows print processors to hide a piece of malware and persist on the target network. Two years later, they broke a Cobalt Strike beacon into more than a hundred pieces, and only reconstructed it when they needed to use it. More from TechRadar Pro Linux version of Winnti malware foundHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

A new version of a known Android banking trojan is making rounds on the internet, stealing sensitive data, and possibly even money, from its victims. Cybersecurity researchers from NCC Group’s Fox-IT sounded the alarm of a new, upgraded version of the Vultur banking trojan, first spotted in early 2021 but having received a number of important changes and upgrades since then. While previous versions were being distributed via dropper apps that were smuggled onto the Play Store, this new version uses a combination of smishing and legitimate app abuse. The researchers said that the attackers would first send an SMS message to their victims, warning them of an unauthorized payment transaction and sharing a phone number for the victim to call. Full takeover If the victim takes the bait and calls the number, the attacker then persuades them to download a compromised version of the McAfee Security app. While on the surface the app works as intended, in the background it delivers the Brunhilda malware dropper. This dropper drops three payloads, including two APKs and a DEX file which, after obtaining Accessibility Services, establish a connection with the command and control (C2) server, and grant the attackers remote control over the Android device. For a trojan, Vultur is quite competent. It can record the screen, log keystrokes, and grant the attackers remote access via AlphaVNC and ngrok. Furthermore, it allows the attackers to download and upload files, install apps, delete files, click, scroll, and swipe through the device, and block different apps from running. It can also display custom notifications and disable Keyguard to bypass the lock screen. Finally, Vultur encrypts its C2 communications to further evade detection. As usual, the best way to defend against these threats is to use common sense, and only download apps from legitimate, proven repositories. Via BleepingComputer More from TechRadar Pro This nasty new Android malware can easily bypass Google Play security — and it's already been downloaded thousands of timesHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

A dangerous espionage malware, previously only used against Windows devices, is increasingly being observed on Linux machines, too, experts have warned. Following earlier reports by ESET and Trend Micro, Kaspersky is now warning of the Dinodas Remote Access Trojan (RAT), signaling the rising popularity of the malware. Kaspersky claims the backdoor is “fully functional, granting the operator complete control over the infected machine, enabling data exfiltration and espionage”. DinodasRAT is designed to monitor, control, and steal data from target endpoints. Besides stealing data, it can run processes, create a remote shell for direct command, or file execution, update and upgrade itself, uninstall itself and delete all traces of its existence. XDealer and DinodasRAT Older reports indicate that DinodasRAT is a Linux version of a known Windows RAT dubbed XDealer. Earlier in March, Trend Micro observed the Chinese APT group known as “Earth Krahang” using XDealer against both Windows and Linux systems belonging to “governments worldwide”. The researchers did not detail how the attackers managed to drop the malware onto target endpoints, but did stress that since October 2023, the targets were mostly located in China, Taiwan, Turkey, and Uzbekistan. Today, many nation-states are engaged in cyber-warfare, disrupting operations and stealing sensitive data from their adversaries. Besides China, there are notable threats coming from North Korea (Lazarus Group, for example), Russia (Fancy Bear), Iran (Scarred Manticore), and others. With war raging in Ukraine, China eyeing Taiwan, Israel engaged against Hamas, as well as other potential hotpots (the issues of migration in both Europe and the States, U.S. presidential elections), it is no wonder that not a day goes by without news of state-sponsored hacking groups engaging in cyber-espionage. The rising popularity of DinodasRAT only demonstrates the increasing use of Linux-powered devices in government agencies around the world. Via BleepingComputer More from TechRadar Pro UK intelligence services are stepping up against Chinese cyberspiesHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

Python Package Index (PyPI), the largest repository of Python packages, has once again been forced to suspend new account and new project registrations. Cybersecurity experts from both Checkmarx and Check Point observed a large-scale cyberattack in which threat actors tried to upload hundreds of malicious packages to the platform, in an attempt to compromise software developers and mount supply chain attacks. The packages mimic legitimate ones already uploaded to PyPI, an attack usually called “typosquatting”. It relies on developers being reckless and picking up the malicious version of the package, instead of the legitimate one. While Checkmarx says the attackers tried to upload some 365 packages, Check Point claims at least 500. Regardless of the total number, the attack’s goal is to get the victims to install an infostealer with persistence capabilities. This infostealer grabs, among other things, passwords stored in browsers, cookies, and cryptocurrency wallet-related information. Registrations reopened PyPi seems to have addressed the issue in the meantime, as at the time of writing, registrations were reopened. PyPI is the world’s biggest repository for open-source Python packages, and as such, is facing a constant barrage of cyberattacks. In late May 2023, the platform was forced to do the same thing, as it faced an “unimaginable flood of malicious code” being uploaded to the platform. In an announcement posted on the PyPI status page, the organization said: “The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion, especially with multiple PyPI administrators on leave.” It took the company the entire weekend to lift the suspension. Via BleepingComputer More from TechRadar Pro The huge rise in AI and ML transactions are putting businesses at riskHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

Emergency stop button: The Python Package Index was drowning in malicious code again, so they had to shut down registration for cleanup. The post PyPI Goes Quiet After Huge Malware Attack: 500+ Typosquat Fakes Found appeared first on Security Boulevard. View the full article

Thousands of old, outdated Asus routers are being targeted by a new version of “TheMoon” malware botnet, turning them into a network of devices used by a criminal residential proxy service. Researchers from Black Lotus Labs claim the campaign started in early March 2024 and within 72 hours, compromised roughly 6,000 Asus routers. These routers are older and past their end-of-life date, prompting the researchers to speculate that the hackers were most likely abusing a known vulnerability to deploy the malware. Becoming Faceless While Asus routers do make up the majority of the infected devices, they’re not the only ones. Black Lotus says that roughly 7,000 new endpoints are being added to the botnet every week. They are located all over the world, so no specific geography seems to be preferred. Other methods of breaching the devices include brute-force attacks and credential stuffing. Once the devices are infected, they become part of the Faceless proxy service, a known dark web tool that hackers use to hide their online activities, BleepingComputer explained. Among the groups using Faceless are IcedID and SolarMarker. "Through Lumen's global network visibility, Black Lotus Labs has identified the logical map of the Faceless proxy service, including a campaign that began in the first week of March 2024 that targeted over 6,000 ASUS routers in less than 72 hours," Black Lotus explained. Threat actors interested in Faceless’ services can only pay with cryptocurrencies, and do not require to verify their identities. What’s more, they keep their infrastructure a secret by having each device communicate with just one server, for as long as it’s infected. A third of infections last more than 50 days, while roughly 15% get eliminated within two days. The best way to defend against these threats is to make sure your routers are always updated and that they have a strong password. More from TechRadar Pro What is a residential proxy? Here’s everything you need to knowHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

Cybersecurity researchers from Checkmarx have discovered a new infostealing campaign that leveraged typosquatting and stolen GitHub accounts to distribute malicious Python packages to the PyPI repository. In a blog post, Tal Folkman, Yehuda Gelb, Jossef Harush Kadouri, and Tzachi Zornshtain of Checkmarx said they discovered the campaign after a Python developer complained about falling victim to the attack. Apparently, the company believes more than 170,000 people are at risk. Infostealers and keyloggers The attackers first took a popular Python mirror, Pythonhosted, and created a typosquatted website version. They named it PyPIhosted. Then, they grabbed a major package, called Colorama (150+ million monthly downloads), added malicious code to it, and then uploaded it on their typosquatted-domain fake-mirror. “This strategy makes it considerably more challenging to identify the package's harmful nature with the naked eye, as it initially appears to be a legitimate dependency,” the researchers explained. Another strategy involved stealing popular GitHub accounts. An account named “editor-syntax” got their account compromised, most likely via session cookie theft. By obtaining session cookies, the attackers managed to bypass any and all authentication methods and logged directly into the person’s account. Editor-syntax is a major contributor, maintaining the Top.gg GitHub organization whose community counts more than 170,000 members. The threat actors used the access to commit malware to the Top.gg Python library. The goal of the campaign was to steal sensitive data from the victims. Checkmarx’s researchers said the malware stole browser data (cookies, autofill information, browsing history, bookmarks, credit cards, and login credentials, from the biggest browsers such as Opera, Chrome, Brave, Vivaldi, Yandex, and Edge), Discord data (including Discord tokens, which can be used to access accounts), cryptocurrency wallet data, Telegram chat sessions, computer files, and Instagram data. Further analysis also discovered that the infostealer was able to work as a keylogger, as well. More from TechRadar Pro This well-known infostealer is back with upgraded malwareHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

Hackers have been observed installing a brand new piece of malware on vulnerable WordPress sites. Dubbed Sign1, the malware redirects visitors to dangerous websites, and shows them popup ads the owners never intended to show. The discovery was made earlier this week by cybersecurity researchers Sucuri, after a client said its website was misbehaving, BleepingComputer reports. Multiple obfuscation methods As per Sucuri’s report, its client’s website was brute-forced, with unnamed hackers trying countless username/password combinations until they found one that worked. After that, instead of modifying the WordPress files (which is standard practice for WordPress-related attacks, it seems), the threat actors either injected the malware into custom HTML widgets and plugins, or installed Simple Custom CSS and JS plugins to add the JavaScript code to the site. Subsequent investigation showed that more than 39,000 websites were infected with the same malware. Sucuri isn’t certain how other websites were compromised, but speculates that the attackers used a combination of brute-forcing and leveraging vulnerabilities in different plugins and themes. Sign1 also has a couple of methods to avoid being spotted. For starters, it uses time-based randomization, generating dynamic URLs that change every 10 minutes. That way, the malware ensures the domains are always fresh and not added to any blocklists. Secondly, the domains are hosted on HETZNER and Cloudflare, obfuscating both hosting and IP addresses. Finally, the injected code comes with XOR encoding and random variable names, making detection even more difficult. The campaign has been ongoing for roughly six months, the researchers concluded, adding that the malware is in active development. Every time the developers release a new version, infections spike. The latest attack started in January 2024 and has so far resulted in roughly 2,500 compromised websites. To remain secure, the researchers advise website owners to make sure their username/password combination is strong enough not to be breached with brute-force attacks. All unused or unnecessary plugins and themes should also be uninstalled, as they can allow the attackers unabated access to the premises. More from TechRadar Pro This nasty new Android malware can easily bypass Google Play security — and it's already been downloaded thousands of timesHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

Hackers are using a novel phishing technique to deliver remote access trojans (RAT) to unsuspecting victims. According to the report, published this Monday, threat actors are using a technique called Object Linking and Embedding (OLE). This is a Windows feature that allows users to embed and link documents within documents, resulting in compound files with elements from different programs. New phishing methods This is according to cybersecurity experts Perception Point, who recently detailed a campaign they dubbed Operation PhantomBlu. The campaign starts with the usual phishing email, seemingly coming from the victim’s company accounting department. The emails are being sent from a legitimate marketing platform called Brevo, suggesting the platform was most likely compromised in some way. Attached with the email is a Word “monthly salary report” document. The victims that download the file are first asked to enter a password to open it, and then double-click a printer icon embedded in the doc. By doing that, the victim runs a ZIP archive file holding a Windows shortcut file, which runs a PowerShell dropper which deploys the NetSupport RAT from a remote server. "By using encrypted .docs to deliver the NetSupport RAT via OLE template and template injection, PhantomBlu marks a departure from the conventional TTPs commonly associated with NetSupport RAT deployments," said Ariel Davidpur, the report’s author, adding the updated technique "showcases PhantomBlu's innovation in blending sophisticated evasion tactics with social engineering." NetSupport RAT is a weaponized version of NetSupport Manager, a legitimate remote control software, first released in 1989. For years now, NetSupport RAT was one of the most commonly used remote access trojans, allowing attackers unabated access to compromised devices. They can then use that access to deploy even more dangerous malware, including infostealers and ransomware. The best way to protect against these attacks is to be vigilant when receiving emails and only downloading attachments from verified sources. More from TechRadar Pro 1024-bit RSA keys for Windows will soon be no moreHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

Cybersecurity researchers have found a new version of a well-known Android banking trojan malware which sports quite a creative method of hiding in plain sight. PixPirate targets mostly Brazilian consumers with accounts on the Pix instant payment platform, which allegedly counts more than 140 million customers, and services transactions north of $250 billion. The campaign’s goal was to divert the cash to attacker-owned accounts. Usually, banking trojans on Android would try to hide by changing their app icons and names. Often, the trojans would assume the “settings” icon, or something similar, tricking the victims into looking elsewhere, or simply into being too afraid to remove the app from their device. PixPirate, on the other hand, gets rid of all of that by not having an icon in the first place. Running the malware The big caveat here is that without the icon, the victims cannot launch the trojan, so that crucial part of the equation is left to the attackers. The campaign consists of two apps - the dropper, and the “droppee”. The dropper is being distributed on third-party stores, shady websites, and via social media channels, and is designed to deliver the final payload - droppee - and to run it (after asking for Accessibility and other permissions). Droppee, which is PixPirate’s filename, exports a service to which other apps can connect to. The dropper connects to that service, allowing it to run the trojan. Even after removing the dropper, the malware can still run on its own, on certain triggers (for example, on boot, on network change, or on other system events). The entire process, from harvesting user credentials, to initiating money transfer, is automated, and done in the background without the victim’s knowledge or consent. The only thing standing in the way, the researchers claim, are Accessibility Service permissions. It is also worth mentioning that this method only works on older versions of Android, up to Pie (9). Via BleepingComputer More from TechRadar Pro This nasty new Android malware can easily bypass Google Play security — and it's already been downloaded thousands of timesHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

More than 3,000 WordPress-powered websites were compromised as a result of not patching a known vulnerability fast enough, a report from cybersecurity researchers Sucuri and PublicWWW has claimed. Sucuri says that over the past couple of weeks, unnamed threat actors were leveraging a vulnerability tracked as CVE-2023-6000 to redirect people to malicious websites. This vulnerability, described as a cross-site scripting (XSS) flaw, was discovered in Popup Builder version 4.2.3 and older, in November last year. Popup Builder is a popular plugin for WordPress websites which, as the name suggests, allows website administrators to build and deploy popup windows. As per WordPress data, there are more than 80,000 websites currently using Popup Builder 4.1 and older. These older versions, susceptible to an attack, allow threat actors to deploy malicious code inside the WordPress website. Securing the website This code, the researchers explain, can redirect visitors to malicious websites, such as phishing sites, pages hosting malware, and more. Sucuri claims 1,170 websites have been compromised via this bug in the past couple of weeks, while PublicWWW puts the figure at around 3,300. To defend against these attackers, webmasters can do a couple of things: First - they can (and they should) update their plugins. Popup Builder addressed the flaw in version 4.2.7. Webmasters should also analyze their site’s code for malicious entries from the plugin’s custom sections. Furthermore, they should scan for hidden backdoors to prevent the attackers from moving back in. Finally, they should block "ttincoming.traveltraffic[.]cc" and "host.cloudsonicwave[.]com” domains, as that is where the attacks come from. Attacks against WordPress plugins and themes are nothing new. As WordPress is generally considered a safe web hosting and design platform, threat actors usually hunt for flaws in third-party additions. Via BleepingComputer More from TechRadar Pro This WordPress plugin vulnerability has put millions of websites at riskHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

Hackers are, once again, impersonating major tech brands to trick people into downloading malware to their computers, experts have warned. Cybersecurity researchers from the Zscaler ThreatLabz recently discovered a new campaign, in which unidentified threat actors created countless websites whose URL is almost identical to actual websites belonging to the likes Google, Skype, and Zoom. This method is also known as “typosquatting”, and relies on the fact that many people won’t spot a “typo” in the URL, and will believe they are on the legitimate site instead of a malicious one. Sites in Russian The websites pretend to host video conferencing software, such as Google Meet and the likes. The software offers download links for Windows, Android, and iOS. However, while the iOS link doesn’t do anything malicious (it redirects the users to the actual product), the Android and Windows deliver malware. For Android, it’s nothing more than an APK, but for Windows, it initiates the download of a batch script. That batch executes a PowerShell script, which downloads and runs one of a few remote access trojans (RAT) spotted in the campaign - Spynote RAT (Android), NjRAT, or DCRat (Windows). The campaign has been active since December 2023, with the researchers adding that the spoofed sites are Russian, indicating that the threat actors are either Russian themselves, or simply targeting Russian consumers. "The threat actor is distributing Remote Access Trojans (RATs) including SpyNote RAT for Android platforms, and NjRAT and DCRat for Windows systems," they added. The RATs can be used for a wide array of malicious activities, from stealing sensitive information from the devices, to logging keystrokes, and exfiltrating files. The methods of promoting these websites is unknown, but it is safe to assume that there is a phishing campaign active somewhere on the internet, and that the sites are being actively promoted on social media and various online forums. Via TheHackerNews More from TechRadar Pro This nasty trojan uses Discord as a command and control serverHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

Hackers are exploiting misconfigured servers running Docker, Confluence, and other services in order to drop cryptocurrency miners. Researchers at Cado Security Labs recently observed one such malware campaign, noting how threat actors are using multiple “unique and unreported payloads”, including four Golang binaries, to automatically discover Apache Hadoop YARN, Docker, Confluence, and Redis hosts, vulnerable to CVE-2022-26134, an unauthenticated and remote OGNL injection vulnerability that allows for remote code execution. This flaw was first discovered two years ago, when threat actors targeted Confluence servers (typically the confluence user on Linux installations). At the time, the researchers said internet-facing Confluence servers were at “very high risk”, and urged IT teams to apply the patch immediately. It seem that even now, two years later, not all users installed the available fixes. Unidentified threat The tools are also designed to exploit the flaw and drop a cryptocurrency miner, spawn a reverse shell, and enable persistent access to the compromised hosts. Cryptocurrency miners are popular among cybercriminals, as they take advantage of the high compute power of a server to generate almost untraceable profits. One of the most popular crypto-miners out there is called XMRig, a small program mining the Monero currency. On the victim’s side, however, not only are their servers unusable, but the miners would rack up their electricity bill fairly quickly. For now, Cado is unable to attribute the campaign to any specific threat actor, saying it would need the help of law enforcement for that: “As always, it’s worth stressing that without the capabilities of governments or law enforcement agencies, attribution is nearly impossible – particularly where shell script payloads are concerned,” it said. Still, it added that the shell script payloads are similar to ones seen in attacks done by TeamTNT, and WatchDog. More from TechRadar Pro This new Linux malware floods machines with cryptominers and DDoS botsHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

Threat actors have been targeting telecom operators across the world in a stealthy, sophisticated espionage campaign, new research has found. A report from BleepingComputer cites the findings of a security researcher with the alias HaxRob who found two versions of a previously unknown backdoor, uploaded to VirusTotal in late 2023. The backdoor is called GTPDOOR, and apparently, it targets a “very old Red Hat Linux version, indicating an outdated target.” The backdoor was said to be targeting SGSN, GGSN, and P-GW, systems which are adjacent to the GPRS roaming eXchange (GRX) service. These services can grant the attackers direct access to a telecom’s core network which, in turn, would allow them to gather sensitive, private information. With the help of GTPDOOR, the attackers could set a new encryption key for C2 communications, write arbitrary data to a local file named “system.conf”, execute arbitrary shell commands and return the output back to the C2, specify which IP addresses can communicate with the compromised host, pull the ACL list, and finally, reset the malware. LightBasin returns The backdoors were “largely undetected” by antivirus engines, BleepingComputer notes. The researcher attributed the backdoor to LightBasin, allegedly a Chinese threat actor, also known as UNC1945. It was first spotted by cybersecurity researchers Mandiant, back in 2016 and has, since then, been observed targeting the telecommunications sector at a global scale. The group has in-depth knowledge of telecommunications network architecture, and protocols, it was said, and emulated some of them to steal “highly specific information” from mobile communication infrastructure (for example, subscriber information and call metadata). A report from late 2021, researchers from CrowdStrike said LightBasin managed to attack 13 global telecoms in two years. To defend against such attacks, the researchers agree, businesses should watch out for unusual raw socket activities, unexpected process names, and malware indicators such as duplicate syslog processes. More from TechRadar Pro Massive leak reveals extent of China’s foreign hacking activitiesHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

Hackers are using complex social engineering campaigns and calendar invites to distribute Mac malware. The hackers are abusing calendar scheduling tool Calendly to distribute meeting invites as part of their attempts to fool the best Mac antivirus. The narrative behind this campaign is far more complex than the usual email spam you might be used to, so here is how they did it, and how to keep yourself safe if you get targeted. Shady investments Disclosed by a reader of Krebs On Security, the campaign saw hackers go after cryptocurrency by posing as investors looking for their next startup to provide with funding. In this case, the victim was originally contacted via Telegram looking for an investment opportunity. The scammer wanted to organize a meeting to discuss the potential investment options, and so the victims sent over their Calendly details in order to organize a video call. The fateful day approached, but nothing happened when the victim attempted to open the meeting link. Low and behold, the scammers’ ‘IT team’ fixed the issue by sending out a new meeting link. Alas, the second link opened up a technical error message instead of the meeting, with a message displaying that there was an error with the video service. Luckily the message had a handy little script that could fix the issue and allow the victim to finally get some facetime with the potential investors. Rather than being graced with the face of the generous benefactor, the script installed a trojan with the ability to steal sensitive information from the victims Mac device. The victim, realizing the error of their ways, then changed their passwords and installed a fresh version of macOS. While this was a good choice on the victims part, it unfortunately means that there is no evidence to suggest exactly what strain of malware was used. In order to keep your device safe, always have a healthy amount of suspicion when receiving and clicking on any links sent from a stranger, and be sure to keep your device up to date with the latest updates, or take a look at some of the best firewalls to keep your device secure. Via TomsGuide More from TechRadar Pro Forget ransomware and phishing attacks — CTOs rate human error as their number one security riskTake a look at our guide to the best productivity tools aroundKeep your details safe with the best password manager View the full article

Hackers are exploiting a zero-day vulnerability in Windows Defender SmartScreen to infect crypto traders with malware. Researchers from Trend Micro revealed a threat actor going by Water Hydra (AKA DarkCasino) abused the zero-day, now tracked as CVE-2024-21412, in attacks conducted on New Year’s Eve 2023. Microsoft has since released a patch, and in a follow-up advisory, explained that an unauthenticated attacker “could send the targeted user a specially crafted file that is designed to bypass displayed security checks." Spearphishing on Telegram Microsoft further explained that the attack still relies on victim action: "However, the attacker would have no way to force a user to view the attacker-controlled content. Instead, the attacker would have to convince them to take action by clicking on the file link." Trend Micro claims Water Hydra was joining Telegram channels and forums for forex, stock, and crypto traders, and used spearphishing techniques to get people to install the DarkMe malware. The group shared a stock chart that linked to fxbulls[.]ru, a compromised Russian trading information site that, in fact, impersonates fxbulls[.]com, a forex broker platform. DarkMe, while dangerous on its own, was just a step towards the final goal, which was to deploy ransomware, the researchers claim. "In late December 2023, we began tracking a campaign by the Water Hydra group that contained similar tools, tactics, and procedures (TTPs) that involved abusing internet shortcuts (.URL) and Web-based Distributed Authoring and Versioning (WebDAV) components," Trend Micro explained. "We concluded that calling a shortcut within another shortcut was sufficient to evade SmartScreen, which failed to properly apply Mark-of-the-Web (MotW), a critical Windows component that alerts users when opening or running files from an untrusted source." The crypto industry has always been a popular target for cybercriminals. However, with bitcoin exchange-traded funds (ETF) finally approved, and the Bitcoin halving just two months away, the crypto industry is poised for yet another eye-watering bull run. This, as was the case in the past, will also attract more criminals. Via BleepingComputer More from TechRadar Pro This nasty Windows 10 zero-day vulnerability finally has an unofficial fixHere's a list of the best firewalls around todayThese are the best endpoint security tools right now View the full article

There are constant levels of high attacks and port scans on Linux servers all the time, while a properly configured firewall and regular security system ... The post 5 Tools to Scan a Linux Server for Malware and Rootkits first appeared on Tecmint: Linux Howtos, Tutorials & Guides. View the full article

Amazon GuardDuty Malware Protection adds a new capability that allows customers to initiate on-demand malware scans of Amazon Elastic Compute Cloud (Amazon EC2) instances, including instances used to host container workloads. Scans can be initiated using the GuardDuty console, or programmatically via the API, without the need to deploy security software and are designed to have no performance impact to running workloads. When potential malware is identified, GuardDuty generates actionable security findings with information such as the threat and file name, the file path, the Amazon EC2 instance ID, resource tags and, in the case of containers, the container ID and the container image used. This capability builds on the existing Malware Protection capability of GuardDuty-initiated scans that when enabled, automatically initiates a malware scan when GuardDuty detects suspicious behavior indicative of malware on the instance. View the full article

Amazon GuardDuty Malware Protection is now available, in Amazon GuardDuty, to help detect malicious files residing on an instance or container workload running on Amazon Elastic Compute Cloud (Amazon EC2) without deploying security software or agents. Amazon GuardDuty Malware Protection adds file scanning for workloads utilizing Amazon Elastic Block Store (EBS) volumes to detect malware that can be used to compromise resources, modify access permissions, and exfiltrate data. Malicious files that contain trojans, worms, crypto miners, rootkits, bots, and the like can be used to compromise workloads, repurpose resources for malicious use, and gain unauthorized access to data. Existing customers can enable the GuardDuty Malware Protection feature with a single click in the GuardDuty console or through the GuardDuty API. When threats are detected, GuardDuty Malware Protection automatically sends security findings to AWS Security Hub, Amazon EventBridge, and Amazon Detective. These integrations help centralize monitoring for AWS and partner services, automate responses to malware findings, and perform security investigations from the GuardDuty console. With the launch of Amazon GuardDuty Malware Protection there are eight new threat detections: Execution:EC2/MaliciousFile Execution:ECS/MaliciousFile Execution:Kubernetes/MaliciousFile Execution:Container/MaliciousFile Execution:EC2/SuspiciousFile Execution:ECS/SuspiciousFile Execution:Kubernetes/SuspiciousFile Execution:Container/SuspiciousFile View the full article

AWS Security Hub now automatically receives Amazon GuardDuty Malware Protection findings. Amazon GuardDuty Malware Protection delivers agentless detection of malware on your Amazon Elastic Cloud Compute (EC2) instance and container workloads. This integration between Security Hub and GuardDuty expands the centralization and single pane of glass experience in Security Hub by consolidating your malware findings alongside your other security findings, allowing you to more easily search, triage, investigate, and take action on your security findings. GuardDuty Malware Protection findings within Security Hub also contain an investigation link that allows you to quickly dive deeper to investigate the finding in Amazon Detective. View the full article

With Amazon GuardDuty, you can monitor your AWS accounts and workloads to detect malicious activity. Today, we are adding to GuardDuty the capability to detect malware. Malware is malicious software that is used to compromise workloads, repurpose resources, or gain unauthorized access to data. When you have GuardDuty Malware Protection enabled, a malware scan is initiated when GuardDuty detects that one of your EC2 instances or container workloads running on EC2 is doing something suspicious. For example, a malware scan is triggered when an EC2 instance is communicating with a command-and-control server that is known to be malicious or is performing denial of service (DoS) or brute-force attacks against other EC2 instances. GuardDuty supports many file system types and scans file formats known to be used to spread or contain malware, including Windows and Linux executables, PDF files, archives, binaries, scripts, installers, email databases, and plain emails. When potential malware is identified, actionable security findings are generated with information such as the threat and file name, the file path, the EC2 instance ID, resource tags and, in the case of containers, the container ID and the container image used. GuardDuty supports container workloads running on EC2, including customer-managed Kubernetes clusters or individual Docker containers. If the container is managed by Amazon Elastic Kubernetes Service (EKS) or Amazon Elastic Container Service (Amazon ECS), the findings also include the cluster name and the task or pod ID so application and security teams can quickly find the affected container resources. As with all other GuardDuty findings, malware detections are sent to the GuardDuty console, pushed through Amazon EventBridge, routed to AWS Security Hub, and made available in Amazon Detective for incident investigation. How GuardDuty Malware Protection Works When you enable malware protection, you set up an AWS Identity and Access Management (IAM) service-linked role that grants GuardDuty permissions to perform malware scans. When a malware scan is initiated for an EC2 instance, GuardDuty Malware Protection uses those permissions to take a snapshot of the attached Amazon Elastic Block Store (EBS) volumes that are less than 1 TB in size and then restore the EBS volumes in an AWS service account in the same AWS Region to scan them for malware. You can use tagging to include or exclude EC2 instances from those permissions and from scanning. In this way, you don’t need to deploy security software or agents to monitor for malware, and scanning the volumes doesn’t impact running workloads. The EBS volumes in the service account and the snapshots in your account are deleted after the scan. Optionally, you can preserve the snapshots when malware is detected. The service-linked role grants GuardDuty access to AWS Key Management Service (AWS KMS) keys used to encrypt EBS volumes. If the EBS volumes attached to a potentially compromised EC2 instance are encrypted with a customer-managed key, GuardDuty Malware Protection uses the same key to encrypt the replica EBS volumes as well. If the volumes are not encrypted, GuardDuty uses its own key to encrypt the replica EBS volumes and ensure privacy. Volumes encrypted with EBS-managed keys are not supported. Security in cloud is a shared responsibility between you and AWS. As a guardrail, the service-linked role used by GuardDuty Malware Protection cannot perform any operation on your resources (such as EBS snapshots and volumes, EC2 instances, and KMS keys) if it has the GuardDutyExcluded tag. Once you mark your snapshots with GuardDutyExcluded set to true, the GuardDuty service won’t be able to access these snapshots. The GuardDutyExcluded tag supersedes any inclusion tag. Permissions also restrict how GuardDuty can modify your snapshot so that they cannot be made public while shared with the GuardDuty service account. The EBS volumes created by GuardDuty are always encrypted. GuardDuty can use KMS keys only on EBS snapshots that have a GuardDuty scan ID tag. The scan ID tag is added by GuardDuty when snapshots are created after an EC2 finding. The KMS keys that are shared with GuardDuty service account cannot be invoked from any other context except the Amazon EBS service. Once the scan completes successfully, the KMS key grant is revoked and the volume replica in GuardDuty service account is deleted, making sure GuardDuty service cannot access your data after completing the scan operation. Enabling Malware Protection for an AWS Account If you’re not using GuardDuty yet, Malware Protection is enabled by default when you activate GuardDuty for your account. Because I am already using GuardDuty, I need to enable Malware Protection from the console. If you’re using AWS Organizations, your delegated administrator accounts can enable this for existing member accounts and configure if new AWS accounts in the organization should be automatically enrolled. In the GuardDuty console, I choose Malware Protection under Settings in the navigation pane. There, I choose Enable and then Enable Malware Protection. Snapshots are automatically deleted after they are scanned. In General settings, I have the option to retain in my AWS account the snapshots where malware is detected and have them available for further analysis. In Scan options, I can configure a list of inclusion tags, so that only EC2 instances with those tags are scanned, or exclusion tags, so that EC2 instances with tags in the list are skipped. Testing Malware Protection GuardDuty Findings To generate several Amazon GuardDuty findings, including the new Malware Protection findings, I clone the Amazon GuardDuty Tester repo: $ git clone https://github.com/awslabs/amazon-guardduty-tester First, I create an AWS CloudFormation stack using the guardduty-tester.template file. When the stack is ready, I follow the instructions to configure my SSH client to log in to the tester instance through the bastion host. Then, I connect to the tester instance: $ ssh tester From the tester instance, I start the guardduty_tester.sh script to generate the findings: $ ./guardduty_tester.sh *********************************************************************** * Test #1 - Internal port scanning * * This simulates internal reconaissance by an internal actor or an * * external actor after an initial compromise. This is considered a * * low priority finding for GuardDuty because its not a clear indicator* * of malicious intent on its own. * *********************************************************************** Starting Nmap 6.40 ( http://nmap.org ) at 2022-05-19 09:36 UTC Nmap scan report for ip-172-16-0-20.us-west-2.compute.internal (172.16.0.20) Host is up (0.00032s latency). Not shown: 997 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp closed http 5050/tcp closed mmcc MAC Address: 06:25:CB:F4:E0:51 (Unknown) Nmap done: 1 IP address (1 host up) scanned in 4.96 seconds ----------------------------------------------------------------------- *********************************************************************** * Test #2 - SSH Brute Force with Compromised Keys * * This simulates an SSH brute force attack on an SSH port that we * * can access from this instance. It uses (phony) compromised keys in * * many subsequent attempts to see if one works. This is a common * * techique where the bad actors will harvest keys from the web in * * places like source code repositories where people accidentally leave* * keys and credentials (This attempt will not actually succeed in * * obtaining access to the target linux instance in this subnet) * *********************************************************************** 2022-05-19 09:36:29 START 2022-05-19 09:36:29 Crowbar v0.4.3-dev 2022-05-19 09:36:29 Trying 172.16.0.20:22 2022-05-19 09:36:33 STOP 2022-05-19 09:36:33 No results found... 2022-05-19 09:36:33 START 2022-05-19 09:36:33 Crowbar v0.4.3-dev 2022-05-19 09:36:33 Trying 172.16.0.20:22 2022-05-19 09:36:37 STOP 2022-05-19 09:36:37 No results found... 2022-05-19 09:36:37 START 2022-05-19 09:36:37 Crowbar v0.4.3-dev 2022-05-19 09:36:37 Trying 172.16.0.20:22 2022-05-19 09:36:41 STOP 2022-05-19 09:36:41 No results found... 2022-05-19 09:36:41 START 2022-05-19 09:36:41 Crowbar v0.4.3-dev 2022-05-19 09:36:41 Trying 172.16.0.20:22 2022-05-19 09:36:45 STOP 2022-05-19 09:36:45 No results found... 2022-05-19 09:36:45 START 2022-05-19 09:36:45 Crowbar v0.4.3-dev 2022-05-19 09:36:45 Trying 172.16.0.20:22 2022-05-19 09:36:48 STOP 2022-05-19 09:36:48 No results found... 2022-05-19 09:36:49 START 2022-05-19 09:36:49 Crowbar v0.4.3-dev 2022-05-19 09:36:49 Trying 172.16.0.20:22 2022-05-19 09:36:52 STOP 2022-05-19 09:36:52 No results found... 2022-05-19 09:36:52 START 2022-05-19 09:36:52 Crowbar v0.4.3-dev 2022-05-19 09:36:52 Trying 172.16.0.20:22 2022-05-19 09:36:56 STOP 2022-05-19 09:36:56 No results found... 2022-05-19 09:36:56 START 2022-05-19 09:36:56 Crowbar v0.4.3-dev 2022-05-19 09:36:56 Trying 172.16.0.20:22 2022-05-19 09:37:00 STOP 2022-05-19 09:37:00 No results found... 2022-05-19 09:37:00 START 2022-05-19 09:37:00 Crowbar v0.4.3-dev 2022-05-19 09:37:00 Trying 172.16.0.20:22 2022-05-19 09:37:04 STOP 2022-05-19 09:37:04 No results found... 2022-05-19 09:37:04 START 2022-05-19 09:37:04 Crowbar v0.4.3-dev 2022-05-19 09:37:04 Trying 172.16.0.20:22 2022-05-19 09:37:08 STOP 2022-05-19 09:37:08 No results found... 2022-05-19 09:37:08 START 2022-05-19 09:37:08 Crowbar v0.4.3-dev 2022-05-19 09:37:08 Trying 172.16.0.20:22 2022-05-19 09:37:12 STOP 2022-05-19 09:37:12 No results found... 2022-05-19 09:37:12 START 2022-05-19 09:37:12 Crowbar v0.4.3-dev 2022-05-19 09:37:12 Trying 172.16.0.20:22 2022-05-19 09:37:16 STOP 2022-05-19 09:37:16 No results found... 2022-05-19 09:37:16 START 2022-05-19 09:37:16 Crowbar v0.4.3-dev 2022-05-19 09:37:16 Trying 172.16.0.20:22 2022-05-19 09:37:20 STOP 2022-05-19 09:37:20 No results found... 2022-05-19 09:37:20 START 2022-05-19 09:37:20 Crowbar v0.4.3-dev 2022-05-19 09:37:20 Trying 172.16.0.20:22 2022-05-19 09:37:23 STOP 2022-05-19 09:37:23 No results found... 2022-05-19 09:37:23 START 2022-05-19 09:37:23 Crowbar v0.4.3-dev 2022-05-19 09:37:23 Trying 172.16.0.20:22 2022-05-19 09:37:27 STOP 2022-05-19 09:37:27 No results found... 2022-05-19 09:37:27 START 2022-05-19 09:37:27 Crowbar v0.4.3-dev 2022-05-19 09:37:27 Trying 172.16.0.20:22 2022-05-19 09:37:31 STOP 2022-05-19 09:37:31 No results found... 2022-05-19 09:37:31 START 2022-05-19 09:37:31 Crowbar v0.4.3-dev 2022-05-19 09:37:31 Trying 172.16.0.20:22 2022-05-19 09:37:34 STOP 2022-05-19 09:37:34 No results found... 2022-05-19 09:37:35 START 2022-05-19 09:37:35 Crowbar v0.4.3-dev 2022-05-19 09:37:35 Trying 172.16.0.20:22 2022-05-19 09:37:38 STOP 2022-05-19 09:37:38 No results found... 2022-05-19 09:37:38 START 2022-05-19 09:37:38 Crowbar v0.4.3-dev 2022-05-19 09:37:38 Trying 172.16.0.20:22 2022-05-19 09:37:42 STOP 2022-05-19 09:37:42 No results found... 2022-05-19 09:37:42 START 2022-05-19 09:37:42 Crowbar v0.4.3-dev 2022-05-19 09:37:42 Trying 172.16.0.20:22 2022-05-19 09:37:46 STOP 2022-05-19 09:37:46 No results found... ----------------------------------------------------------------------- *********************************************************************** * Test #3 - RDP Brute Force with Password List * * This simulates an RDP brute force attack on the internal RDP port * * of the windows server that we installed in the environment. It uses* * a list of common passwords that can be found on the web. This test * * will trigger a detection, but will fail to get into the target * * windows instance. * *********************************************************************** Sending 250 password attempts at the windows server... Hydra v9.4-dev (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-05-19 09:37:46 [WARNING] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recover [INFO] Reduced number of tasks to 4 (rdp does not like many parallel connections) [WARNING] the rdp module is experimental. Please test, report - and if possible, fix. [DATA] max 4 tasks per 1 server, overall 4 tasks, 1792 login tries (l:7/p:256), ~448 tries per task [DATA] attacking rdp://172.16.0.24:3389/ [STATUS] 1099.00 tries/min, 1099 tries in 00:01h, 693 to do in 00:01h, 4 active 1 of 1 target completed, 0 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-05-19 09:39:23 ----------------------------------------------------------------------- *********************************************************************** * Test #4 - CryptoCurrency Mining Activity * * This simulates interaction with a cryptocurrency mining pool which * * can be an indication of an instance compromise. In this case, we are* * only interacting with the URL of the pool, but not downloading * * any files. This will trigger a threat intel based detection. * *********************************************************************** Calling bitcoin wallets to download mining toolkits ----------------------------------------------------------------------- *********************************************************************** * Test #5 - DNS Exfiltration * * A common exfiltration technique is to tunnel data out over DNS * * to a fake domain. Its an effective technique because most hosts * * have outbound DNS ports open. This test wont exfiltrate any data, * * but it will generate enough unusual DNS activity to trigger the * * detection. * *********************************************************************** Calling large numbers of large domains to simulate tunneling via DNS *********************************************************************** * Test #6 - Fake domain to prove that GuardDuty is working * * This is a permanent fake domain that customers can use to prove that* * GuardDuty is working. Calling this domain will always generate the * * Backdoor:EC2/C&CActivity.B!DNS finding type * *********************************************************************** Calling a well known fake domain that is used to generate a known finding ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.amzn2.5.2 <<>> GuardDutyC2ActivityB.com any ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11495 ;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;GuardDutyC2ActivityB.com. IN ANY ;; ANSWER SECTION: GuardDutyC2ActivityB.com. 6943 IN SOA ns1.markmonitor.com. hostmaster.markmonitor.com. 2018091906 86400 3600 2592000 172800 GuardDutyC2ActivityB.com. 6943 IN NS ns3.markmonitor.com. GuardDutyC2ActivityB.com. 6943 IN NS ns5.markmonitor.com. GuardDutyC2ActivityB.com. 6943 IN NS ns7.markmonitor.com. GuardDutyC2ActivityB.com. 6943 IN NS ns2.markmonitor.com. GuardDutyC2ActivityB.com. 6943 IN NS ns4.markmonitor.com. GuardDutyC2ActivityB.com. 6943 IN NS ns6.markmonitor.com. GuardDutyC2ActivityB.com. 6943 IN NS ns1.markmonitor.com. ;; Query time: 27 msec ;; SERVER: 172.16.0.2#53(172.16.0.2) ;; WHEN: Thu May 19 09:39:23 UTC 2022 ;; MSG SIZE rcvd: 238 ***************************************************************************************************** Expected GuardDuty Findings Test 1: Internal Port Scanning Expected Finding: EC2 Instance i-011e73af27562827b is performing outbound port scans against remote host. 172.16.0.20 Finding Type: Recon:EC2/Portscan Test 2: SSH Brute Force with Compromised Keys Expecting two findings - one for the outbound and one for the inbound detection Outbound: i-011e73af27562827b is performing SSH brute force attacks against 172.16.0.20 Inbound: 172.16.0.25 is performing SSH brute force attacks against i-0bada13e0aa12d383 Finding Type: UnauthorizedAccess:EC2/SSHBruteForce Test 3: RDP Brute Force with Password List Expecting two findings - one for the outbound and one for the inbound detection Outbound: i-011e73af27562827b is performing RDP brute force attacks against 172.16.0.24 Inbound: 172.16.0.25 is performing RDP brute force attacks against i-0191573dec3b66924 Finding Type : UnauthorizedAccess:EC2/RDPBruteForce Test 4: Cryptocurrency Activity Expected Finding: EC2 Instance i-011e73af27562827b is querying a domain name that is associated with bitcoin activity Finding Type : CryptoCurrency:EC2/BitcoinTool.B!DNS Test 5: DNS Exfiltration Expected Finding: EC2 instance i-011e73af27562827b is attempting to query domain names that resemble exfiltrated data Finding Type : Trojan:EC2/DNSDataExfiltration Test 6: C&C Activity Expected Finding: EC2 instance i-011e73af27562827b is querying a domain name associated with a known Command & Control server. Finding Type : Backdoor:EC2/C&CActivity.B!DNS After a few minutes, the findings appear in the GuardDuty console. At the top, I see the malicious files found by the new Malware Protection capability. One of the findings is related to an EC2 instance, the other to an ECS cluster. First, I select the finding related to the EC2 instance. In the panel, I see the information on the instance and the malicious file, such as the file name and path. In the Malware scan details section, the Trigger finding ID points to the original GuardDuty finding that triggered the malware scan. In my case, the original finding was that this EC2 instance was performing RDP brute force attacks against another EC2 instance. Here, I choose Investigate with Detective and, directly from the GuardDuty console, I go to the Detective console to visualize AWS CloudTrail and Amazon Virtual Private Cloud (Amazon VPC) flow data for the EC2 instance, the AWS account, and the IP address affected by the finding. Using Detective, I can analyze, investigate, and identify the root cause of suspicious activities found by GuardDuty. When I select the finding related to the ECS cluster, I have more information on the resource affected, such as the details of the ECS cluster, the task, the containers, and the container images. Using the GuardDuty tester scripts makes it easier to test the overall integration of GuardDuty with other security frameworks you use so that you can be ready when a real threat is detected. Comparing GuardDuty Malware Protection with Amazon Inspector At this point, you might ask yourself how GuardDuty Malware Protection relates to Amazon Inspector, a service that scans AWS workloads for software vulnerabilities and unintended network exposure. The two services complement each other and offer different layers of protection: Amazon Inspector offers proactive protection by identifying and remediating known software and application vulnerabilities that serve as an entry point for attackers to compromise resources and install malware. GuardDuty Malware Protection detects malware that is found to be present on actively running workloads. At that point, the system has already been compromised, but GuardDuty can limit the time of an infection and take action before a system compromise results in a business-impacting event. Availability and Pricing Amazon GuardDuty Malware Protection is available today in all AWS Regions where GuardDuty is available, excluding the AWS China (Beijing), AWS China (Ningxia), AWS GovCloud (US-East), and AWS GovCloud (US-West) Regions. At launch, GuardDuty Malware Protection is integrated with these partner offerings: BitDefender CloudHesive Crowdstrike Fortinet Palo Alto Networks Rapid7 Sophos Sysdig Trellix With GuardDuty, you don’t need to deploy security software or agents to monitor for malware. You only pay for the amount of GB scanned in the file systems (not for the size of the EBS volumes) and for the EBS snapshots during the time they are kept in your account. All EBS snapshots created by GuardDuty are automatically deleted after they are scanned unless you enable snapshot retention when malware is found. For more information, see GuardDuty pricing and EBS pricing. Note that GuardDuty only scans EBS volumes less than 1 TB in size. To help you control costs and avoid repeating alarms, the same volume is not scanned more often than once every 24 hours. Detect malicious activity and protect your applications from malware with Amazon GuardDuty. — Danilo View the full article