Martijn Lammerts
My own digital place with a little of everything

Machine-to-Machine (M2M) Technology Design Issues and Implementation Vulnerabilities

We delve into the protocol security issues that may crop up from a technology perspective. The scarce awareness that we’ve observed around the current state of MQTT and CoAP can enable attackers in achieving their goals, ranging from reconnaissance and lateral movement to remote control and targeted attacks.

The post Machine-to-Machine (M2M) Technology Design Issues and Implementation Vulnerabilities appeared first on .

Continue reading...

New PowerShell-based Backdoor Found in Turkey, Strikingly Similar to MuddyWater Tools

MuddyWater is a well-known threat actor group that has been active since 2017. They have regularly targeted various organizations in Middle East and Central Asia, primarily using spear phishing emails with malicious attachments. We recently observed a few interesting delivery documents with similarities to the known MuddyWater tools, techniques and procedures.

The post New PowerShell-based Backdoor Found in Turkey, Strikingly Similar to MuddyWater Tools appeared first on .

Continue reading...

Water and Energy Sectors Through the Lens of the Cybercriminal Underground

In our research Exposed and Vulnerable Critical Infrastructure: Water and Energy Industries, we not only found exposed industrial control system (ICS) human machine interfaces (HMIs) but also pointed out how these systems were at risk. This risk is corroborated by the active interest in water and energy ICSs shown by different kinds of cybercriminal groups.

The post Water and Energy Sectors Through the Lens of the Cybercriminal Underground appeared first on .

Continue reading...

Water and Energy Sectors Through the Lens of the Cybercriminal Underground

In our research Exposed and Vulnerable Critical Infrastructure: Water and Energy Industries, we not only found exposed industrial control system (ICS) human machine interfaces (HMIs) but also pointed out how these systems were at risk. This risk is corroborated by the active interest in water and energy ICSs shown by different kinds of cybercriminal groups.

The post Water and Energy Sectors Through the Lens of the Cybercriminal Underground appeared first on .

Continue reading...

Proofs of Concept Abusing PowerShell Core: Caveats and Best Practices

We explored possible strategies attackers can employ when abusing PowerShell Core. These proofs of concept (PoCs) would help in better understanding — and in turn, detecting and preventing — the common routines and behaviors of possible and future threats that attackers might use. The PoCs we developed using PowerShell Core were conducted on Windows, Linux, and mac OSs. Most of the techniques we applied can be seen from previous threats involving PowerShell-based functionalities, such as the fileless KOVTER and POWMET. The scenarios in our PoCs are also based on the PowerShell function they use.

The post Proofs of Concept Abusing PowerShell Core: Caveats and Best Practices appeared first on .

Continue reading...

Fake Voice Apps on Google Play, Botnet Likely in Development

Several apps on Google Play posing as legitimate voice messenger platforms have automated functions such as fake survey pop-ups and fraudulent ad clicks. Observed variants were deployed one by one since October, with its evolution including evasive techniques and its infection behavior divided into several stages, as well as botnet codes possibly indicative of future attacks.

The post Fake Voice Apps on Google Play, Botnet Likely in Development appeared first on .

Continue reading...

AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor

BLADABINDI, also known as njRAT/Njw0rm, is a remote access tool (RAT) with a myriad of backdoor capabilities — from keylogging to carrying out distributed denial of service (DDoS) — and has been rehashed and reused in various cyberespionage campaigns since it first emerged. Indeed, BLADABINDI’s customizability and seeming availability in the underground make it a prevalent threat. Case in point: Last week, we came across a worm (detected by Trend Micro as Worm.Win32.BLADABINDI.AA) that propagates through removable drives and installs a fileless version of the BLADABINDI backdoor.

The post AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor appeared first on .

Continue reading...

A Look into the Connection Between XLoader and FakeSpy, and Their Possible Ties With the Yanbian Gang

XLoader and FakeSpy are two of the most prevalent malware families that emerged from the mobile threat landscape recently. We first reported about XLoader in April 2018 when it used Domain Name System (DNS) cache poisoning/DNS spoofing to victimize users with malicious Android apps that steal PII and financial data and install additional apps. Meanwhile, we released our findings on FakeSpy in June after it infected Android users via SMS phishing or SMiShing to launch info-stealing attacks.

As of October, there have been a combined total of 384,748 victims from XLoader and FakeSpy attacks globally, with the majority of victims coming from South Korea and Japan.

The post A Look into the Connection Between XLoader and FakeSpy, and Their Possible Ties With the Yanbian Gang appeared first on .

Continue reading...