AttackIQ has released a new attack graph that emulates the behaviors exhibited by Mallox ransomware since the beginning of its activities in June 2021. Mallox primarily gains access to victim networks through dictionary brute-force attacks against unsecured MS-SQL servers.
The post Emulating the Extortionist Mallox Ransomware appeared first on AttackIQ.
The post Emulating the Extortionist Mallox Ransomware appeared first on Security Boulevard.
Worried about GitHub Copilot’s security and privacy concerns? Learn about potential risks and best practices to protect yourself and your organization while leveraging AI.
The post GitHub Copilot Security and Privacy Concerns: Understanding the Risks and Best Practices appeared first on Security Boulevard.
Ticket bots challenge fair access to events, impacting the ticketing industry. This article explores their operation, effects, and strategies to combat them.
The post How to Restore Fairness In Online Ticketing by Fighting Ticket Bots appeared first on Security Boulevard.
In our groundbreaking 2023 Annual Review, Horizon3.ai delves into the transformative approach of autonomous pentesting with NodeZero. This pivotal document is your gateway to mastering proactive cybersecurity defense mechanisms.
The post Gartner® Report Hype Cycle™ for Security Operations, 2024 appeared first on Horizon3.ai.
The post Gartner® Report Hype Cycle™ for Security Operations, 2024 appeared first on Security Boulevard.
A report by Radware finds that DDoS attacks are increasing not only in number and volume, some lasting as long as 100 hours over six days.
The post Radware Report Surfaces Increasing Waves of DDoS Attacks appeared first on Security Boulevard.
A newly released report, Forrester’s The State of Cyber, 2024 finds about 83% of organizations currently maintain cybersecurity insurance, and such policyholders tend to possess improved ability to detect and respond to attacks.
The post Cybersecurity Insurance: Signals Maturity to Partners, Improved Security Response appeared first on Security Boulevard.
Cary, North Carolina, 30th August 2024, CyberNewsWire
The post INE Security Named 2024 SC Awards Finalist appeared first on Security Boulevard.
Veeam has shown evidence of its capabilities to provide backup, recovery and cybersecurity across an increasing number of heavyweight cloud platforms, databases and service layers including MongoDB and Nutanix.
The post Veeam Widens Beam to MongoDB, Nutanix & Proxmox VE appeared first on Security Boulevard.
Everything you need to know about Google Ads click fraud: its impact, how Google addresses the problem and what you can do to stop it.
The post How to Prevent Click Fraud on Google Ads appeared first on Security Boulevard.
As businesses increasingly rely on technology, the role of cyber security companies has become essential. In Mumbai, cybersecurity firms are growing in importance as they help defend against rising cyber threats like data breaches and ransomware attacks, affecting businesses and individuals of all sizes. So far in 2024, there have been approximately 30,272,408,782 data breaches. […]
The post Top 5 Cyber Security Companies in Mumbai appeared first on Kratikal Blogs.
The post Top 5 Cyber Security Companies in Mumbai appeared first on Security Boulevard.
Software development is a fast-paced world where progress is both a blessing and a curse. The latest versions promise new features, improved performance, and enhanced security, but they also come with significant challenges. For many organizations running their applications on end-of-life (EOL) Spring Framework 5.3 and Spring Boot 2.7, the prospect of upgrading to the […]
The post The Hidden Costs of Progress: Navigating the Challenges of Upgrading from Spring Framework and Spring Boot EOL Versions appeared first on TuxCare.
The post The Hidden Costs of Progress: Navigating the Challenges of Upgrading from Spring Framework and Spring Boot EOL Versions appeared first on Security Boulevard.
Reading Time: 6 min Master DMARC deployment in 5 steps. Learn to configure SPF/DKIM, analyze reports, and gradually enforce policies.
The post DMARC Deployment Phases: What to Expect and How to Prepare appeared first on Security Boulevard.
In jointly published analysis by Palantir Technologies and Trail of Bits pertaining to Google Pixel security, it has been revealed that Pixel phones shipped worldwide since 2017 host a dormant app. The app, if exploited, can become a staging ground for attacks and can be used for delivering various kinds of malware. In this article, […]
The post Google Pixel Security: Android App Makes Phones Vulnerable appeared first on TuxCare.
The post Google Pixel Security: Android App Makes Phones Vulnerable appeared first on Security Boulevard.
Managing compliance takes a collaborative effort from several different departments, but security teams are uniquely positioned to lead the collaboration This article was originally posted in ASIS Security Management Magazine. Employers in California had a 1 July deadline to comply with SB 553, the state law mandating that employers establish workplace violence prevention programs. The question…
The post Who Owns Implementation of California’s New Workplace Violence Prevention Law? appeared first on Ontic.
The post Who Owns Implementation of California’s New Workplace Violence Prevention Law? appeared first on Security Boulevard.
Do you use Google’s Search functionality to find products or services to solve a problem you have? I’m guessing that the majority of people reading this article do this regularly or have at least used it once. In fact, Google reports handling 8.5B queries a day. That’s 2T (trillion!) searches a year. You have likely […]
The post Malvertising and Google Ads: Protecting High Net-Worth Individuals and Executives appeared first on BlackCloak | Protect Your Digital Life™.
The post Malvertising and Google Ads: Protecting High Net-Worth Individuals and Executives appeared first on Security Boulevard.
Authors/Presenters:Harun Oz, Ahmet Aris, Abbas Acar, Güliz Seray Tuncay, Leonardo Babun, Selcuk Uluagac
Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access. Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.
The post USENIX Security ’23 – RøB: Ransomware over Modern Web Browsers appeared first on Security Boulevard.
Find out more about shadow AI and the risks of leaving it uncovered.
The post Shining a Light on Shadow AI: What It Is and How to Find It appeared first on Security Boulevard.
Our teams are always hard at work improving the TrustCloud platform. Here are this month’s biggest updates. Introducing our ServiceNow integration! This is a bidirectional integration with ServiceNow to pull ticket details into TrustCloud. Teams can create new ServiceNow tasks in TrustCloud and attach ServiceNow links as evidence to your tests. The integration also supports […]
The post TrustCloud Product Updates: August 2024 first appeared on TrustCloud.
The post TrustCloud Product Updates: August 2024 appeared first on Security Boulevard.
Specula is a framework that allows for interactive operations of an implant that runs purely in the context of Outlook. It works by setting a custom Outlook homepage via registry keys that calls out to an interactive python web server. This web server serves custom patched vbscript files that will execute a command and return a string response. This is not a completely new concept, other public tools have existed before that take advantage of the vbscript capability within outlook to perform attacks.
One of the unique features of Specula outside of running entirely within Outlook is its ability to load and execute XLL Files. Once an agent has been hooked the malicious xll can be staged and executed via execute_registerxll.
In this blog we are going to break down using an XLL file to launch an application using Specula C2 and Outlook. Some of the logs shown in this blog will be truncated to show the important parts for brevity.
Hooking AgentsTo hook an agent, all you need to do is to create the registry REG_SZ value of URL under HKCU\Software\Microsoft\Office\16.0\Outlook\WebView\Inbox and add the value pointing to your validation url on the Specula server.
Hooked Registry KeysThere are a few settings that are preferable to add/adjust in order to avoid issues with ActiveX. To generate a full reg file with all the recommended settings you can, from the root of the Specula menu, run generatehooker and it will show you the reg file you can copy over to an Windows client with Outlook on and import it. For the registry key to take effect, you will need to stop Outlook if it is running and restart it.
XLLAn XLL (Excel Add-In) is a type of dynamic link library (DLL) specifically designed for use with Microsoft Excel, providing a way to extend Excel’s built-in functionality by adding custom functions, commands, and toolbars. Like DLLs, XLLs are compiled libraries that can be loaded into Excel, integrating seamlessly to create custom functions that behave like native Excel functions. Written in low-level programming languages such as C or C++, XLLs offer better performance and efficiency compared to VBA (Visual Basic for Applications) macros. They can also call Excel’s C API, allowing for deeper and more complex interactions with Excel. Additionally, XLLs can be distributed and deployed as standalone files, making them easy to share and install across different systems.
These files are basically DLLs with specific function names.
So to quickly recap. A victim running Outlook is hooked via a reg file containing specific registry keys for an Outlook homepage pointing at the Specula Server. Once hooked and approved the malicious xll is staged.
XLL Upload via Specula C2Once staged the execute/host/execute_registerxll module is executed with an input of our staged xll file. This will launch an Excel COM object, load, and execute the malicious file. This can essentially perform any action that a typical DLL can without utilizing typical DLL methods of loading.
Execute XLLSuccessful execution can be checked via the data command
Successful Execution Logs and Detection Opportunities Registry HookAs mentioned, the first thing that will happen when using Specula C2 is the agent hooking via the registry. The framework achieves this by modifying specific registry keys related to Outlook’s web view and homepage settings, redirecting them to the C2 server controlled by the attacker.
When an Outlook user opens a specific folder (like Inbox, Calendar, or Tasks), Outlook queries the registry to determine if a custom homepage or web view has been set for that folder. This HTML page allows execution of VBScript or JScript within a privileged context, granting nearly full access to the local system, similar to running scripts via cscript or wscript.exe.
The ability to abuse the Outlook home page was reported as CVE-2017–11774. The Outlook home page was believed to be patched, however, even though the UI elements used to set this was disabled the registry values can still be changed manually.
Since this is registry modifications it can be captured with Sysmon EventID 13.
...You will want to look for the URL being set in the following Registry Keys:
Software\Microsoft\Office\*\Outlook\TodayIf you have network insights, tools such as Zeek offer some detection opportunities around the agent registration. Specula will make a web POST to the /plugin/search uri by default. This will contain a base64 encoded payload containing the hostname and username.
bytes: 58The xll file that will be executed needs to be staged locally. This is usually accomplished via the put_file function of Specula. This will generate a File Creation event for the XLL File by the Outlook process. The location is determined by the attacker but looking for any xll files created by Outlook will highlight this activity.
Provider Name: Microsoft-Windows-SysmonWhen Outlook goes to execute the XLL, it will launch an instance of Excel using the Office COM Objects. This will cause svchost.exe to launch Excel with /automation -Embedding arguments. You can find this activity by looking for process creation events. Outside of just Excel being launched, you can use this to identify other suspicious executions of Office products.
CommandLine: "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -EmbeddingLooking at the process graph you won’t see a connection to Outlook as the originator of the activity because of the way it uses these COM Objects.
Process Graph of XLL Execution XLL LoadFinally the Excel Object will load and execute the XLL Add-in from the uploaded location. This shows up in Image Loads (EventID 7).
EventDescription: Image loadedExcel loading an XLL is in itself not necessarily malicious. However, you can hunt for this and narrow it down to unusual locations such as Temp or Public folders.
For more logs and details on this and other Specula C2 activity, check out the collection in our platform: Specula.
MitreT1137.004 — Office Application Startup: Outlook Home Page
Adversaries may abuse Microsoft Outlook’s Home Page feature to obtain persistence on a compromised system.
T1559.001 — Inter-Process Communication: Component Object Model (COM)
Adversaries may use the Windows Component Object Model (COM) for local code execution.
T1059.005 — Command and Scripting Interpreter: Visual Basic
Adversaries may abuse Visual Basic (VB) for execution.
T1071.001 — Application Layer Protocol: Web Protocols
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic.
T1112 — Modify Registry
Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
T1203 — Exploitation for Client Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
In summary, Specula C2 represents an advanced and innovative approach to conducting interactive operations entirely within the context of Microsoft Outlook. By leveraging custom Outlook homepages and registry modifications, Specula enables seamless command execution through a Python web server. Its unique ability to load and execute XLL files further enhances its versatility, allowing for sophisticated attack scenarios. Understanding the techniques employed by Specula, such as registry manipulation and COM object utilization, is crucial for strengthening cybersecurity defenses.
SnapAttack is the threat hunting, detection engineering, and detection validation platform for proactive threat-informed defense. Register for a FREE community account to access the tons of content included in this blog post, as well as thousands of other community detections. Subscribers also get advanced features like a no-code detection builder, one-click deployments to leading SIEMs and EDRs like Chronicle, Sentinel, Splunk, CrowdStrike and SentinelOne, advanced threat profiles to prioritize relevant threats, and customized reports that track MITRE ATT&CK coverage and more!
ResourcesHunting Specula C2 Framework and XLL Execution was originally published in SnapAttack on Medium, where people are continuing the conversation by highlighting and responding to this story.
The post Hunting Specula C2 Framework and XLL Execution appeared first on Security Boulevard.
via the inimitable Daniel Stori at Turnoff.US!
The post Daniel Stori’s ‘Linux Top Explained’ appeared first on Security Boulevard.
