ReasonLabs launched Online Security platform for Android and iOS, available for download on the Google Play Store and Apple App Store. This marks a significant milestone in ReasonLabs’ mission to deliver a comprehensive security platform that empowers over 25 million users with protection for their devices, identities, and privacy. ReasonLabs’ platform, already recognized for its identity and device protection delivered on desktops, now extends its availability to mobile devices. Americans lost more than $12.5 billion … More →
The post ReasonLabs launches Online Security platform for Android and iOS appeared first on Help Net Security.
VeriClouds and Enzoic signed an agreement to bring our customers a more innovative service under the Enzoic brand.
The post Enzoic Acquires VeriClouds appeared first on Security Boulevard.
Increased activity from the state-sponsored threat group Volt Typhoon raises concerns about the cybersecurity of U.S. critical infrastructure. Here’s how you can identify potential exposures and attack paths.
Recent activity from the state-sponsored group Volt Typhoon, from the People’s Republic of China (PRC), has prompted federal agencies — including the Cybersecurity and Infrastructure Security Agency (CISA) and international partners — to issue urgent warnings and advisories. This increase in activity from advanced persistent threat (APT) actors targeting U.S. critical infrastructure highlights the need for increased vigilance from state and local governments. Since U.S. critical infrastructure is owned and operated by both public sector and private sector organizations, the threat is a concern for government agencies as well as corporate enterprises.
Volt Typhoon is a sophisticated threat group, typically gaining initial access to targets by exploiting unpatched vulnerabilities, including zero-day flaws, as well as through phishing techniques. Once initial access is gained, Volt Typhoon stays persistent for as long as possible, blending in with normal traffic and operating systems. This is achieved through “living off the land” (LOTL) techniques, leveraging native operating system tools to evade detection and favoring manual operations over automated manual scripts, further enhancing their adaptability within the environment.
State and local governments (SLG) have real options though, thanks to the Tenable Security Response Team’s examination of Volt Typhoon’s tactics, techniques and procedures (TTP). Additionally, with the Fiscal Year 2024 State and Local Cybersecurity Grant Program (SLCGP) Notice of Funding Opportunity (NOFO) open for eligible applicants through December 3, SLG officials can apply for funding to strengthen the security of critical infrastructure against malicious threats and to bolster the resilience of the services that state and local governments provide to their communities.
Based on the Tenable Security Response Team’s findings, Tenable recommends state and local government officials consider the following measures to address, patch and mitigate the identified Volt Typhoon vulnerabilities. In addition to these recommendations, implementing cyber hygiene best practices is essential for effective defense.
Patching known vulnerabilities and identifying affected systemsState and local government agencies have the tools and capabilities to protect themselves against the vast majority of attacks, including those from APT actors. Too many entities, however, are failing to take even the minimum steps to protect themselves and their communities.
Let’s start with the basics: it’s critical to have holistic exposure management capabilities that concentrate on discovering and remediating publicly disclosed CVEs. Exposure management combines the people, processes and technologies needed to effectively reduce cyber risk. Technologies such as vulnerability management, web application security, cloud security, identity security, attack path analysis and attack surface management are used to help organizations understand the full breadth and depth of their exposures and take the actions needed to reduce them through remediation and incident response workflows. This proactive approach gives organizations the power to identify and patch known vulnerabilities before they can be exploited.
By implementing proactive exposure management measures, state and local officials can significantly strengthen their resilience against cyberattacks and better protect their communities.
Given the heightened activity by Volt Typhoon, advisories have been released by the respective vendors for specific patching and mitigation tactics for the CVEs commonly exploited; learn more here.
If you are unsure whether your systems have been affected by Volt Typhoon or another APT, Tenable offers several solutions to help identify potential exposures and attack paths, as well as identify systems vulnerable to the CVEs noted in the research linked above.
Implementing cyber hygiene best practicesBasic cyber hygiene practices, including asset management, vulnerability management and identity and access management are crucial in today's digital landscape. State and local governments need to ensure they have visibility across their entire attack surface, including their IT, internet of things (IoT) and operational technology (OT) assets to know where they are exposed. This is critical when a vulnerability is discovered, especially as state-sponsored groups like Volt Typhoon are continuing to target U.S. critical infrastructure.
Understanding Volt Typhoon's TTPs equips state and local governments with valuable insights to enhance their cybersecurity posture. By implementing proactive exposure management measures, state and local officials can significantly strengthen their resilience against cyberattacks and better protect their communities.
If you want to learn more about Volt Typhoon and the Tenable Security Response Team’s research, review the findings here.
Learn moreHornetsecurity launched DMARC Manager, an advanced tool addresses the complex challenges organisations face in managing DMARC, DKIM, and SPF configurations, especially for those operating across multiple domains. As email threats such as fraud and impersonation attacks continue to rise, the need for robust email authentication practices has never been more critical. DMARC Manager is designed to empower administrators and CISOs by providing an intuitive solution for setting up and maintaining best practices in email authentication. … More →
The post Hornetsecurity DMARC Manager protects against fraud and phishing attacks appeared first on Help Net Security.
One of Google Cloud's major missions is to arm security professionals with modern tools to help them defend against the latest threats. Part of that mission involves moving closer to a more autonomous, adaptive approach in threat intelligence automation.
In our latest advancements in malware analysis, we’re equipping Gemini with new capabilities to address obfuscation techniques and obtain real-time insights on indicators of compromise (IOCs). By integrating the Code Interpreter extension, Gemini can now dynamically create and execute code to help deobfuscate specific strings or code sections, while Google Threat Intelligence (GTI) function calling enables it to query GTI for additional context on URLs, IPs, and domains found within malware samples. These tools are a step toward transforming Gemini into a more adaptive agent for malware analysis, enhancing its ability to interpret obfuscated elements and gather contextual information based on the unique characteristics of each sample.
Building on this foundation, we previously explored critical preparatory steps with Gemini 1.5 Pro, leveraging its expansive 2-million-token input window to process substantial sections of decompiled code in a single pass. To further enhance scalability, we introduced Gemini 1.5 Flash, incorporating automated binary unpacking through Mandiant Backscatter before the decompilation phase to tackle certain obfuscation techniques. Yet, as any seasoned malware analyst knows, the true challenge often begins once the code is exposed. Malware developers frequently employ obfuscation tactics to conceal critical IOCs and underlying logic. Malware may also download additional malicious code, making it challenging to fully understand the behavior of a given sample.
For large language models (LLMs), obfuscation techniques and additional payloads create unique challenges. When dealing with obfuscated strings such as URLs, IPs, domains, or file names, LLMs often “hallucinate” without explicit decoding methods. Additionally, LLMs cannot access, for example, URLs that host additional payloads, often resulting in speculative interpretations about the sample’s behavior.
To help with these challenges, Code Interpreter and GTI function calling tools provide targeted solutions. Code Interpreter enables Gemini to autonomously create and execute custom scripts, as needed, using its own judgment to decode obfuscated elements within a sample, such as strings encoded with XOR-based algorithms. This capability minimizes interpretation errors and enhances Gemini's ability to reveal hidden logic without requiring manual intervention.
Meanwhile, GTI function calling expands Gemini’s reach by retrieving contextualized information from Google Threat Intelligence on suspicious external resources such as URLs, IPs, or domains, providing verified insights without speculative guesses. Together, these tools equip Gemini to better handle obfuscated or externally hosted data, bringing it closer to the goal of functioning as an autonomous agent for malware analysis.
To illustrate how these enhancements boost Gemini's capabilities, let's look at a practical example. In this case, we’re analyzing a PowerShell script that contains an obfuscated URL that hosts a second-stage payload. This particular sample was previously analyzed with some of the most advanced publicly available LLM models, which incorporate code generation and execution as part of their reasoning process. Despite these capabilities, each model “hallucinated,” generating completely fabricated URLs instead of accurately revealing the correct one.
Obfuscated PowerShell code sample to be analyzed by Gemini
Utilizing Code Interpreter and GTI function calling as part of its reasoning process, Gemini autonomously generated the following report without any human intervention. When deemed necessary, it applies these tools to process and extract additional information from the sample.
Final Report: PowerShell Malware with URL DeobfuscationThis report analyzes a PowerShell script designed to download and execute a file from an obfuscated URL. The script employs a custom obfuscation routine resembling the RC4 stream cipher to conceal the malicious URL.
Functionality:
Obfuscation Routine: The script defines a function F that performs byte-level XOR encryption using a key derived from the string "tox2". This function is used to deobfuscate the malicious URL.
URL Decryption: The obfuscated URL, stored as a byte array, is decrypted using the F function with "tox2" as the key.
File Download: The script downloads a file from the decrypted URL (hxxps://filedn[.]eu/lODWTgN8sswHA6Pn8HXWe1J/tox2/Scan_docs%2398097960[.]msi) and saves it to the system's temporary directory under a randomly generated filename.
Execution: Finally, the script executes the downloaded file.
Indicators of Compromise (IOCs):
URL: hxxps://filedn[.]eu/lODWTgN8sswHA6Pn8HXWe1J/tox2/Scan_docs%2398097960[.]msi
Deobfuscation Code:
def deobfuscate(x, y): s = list(range(256)) j = 0 k = [ord(c) for c in y] for i in range(256): j = (j + s[i] + k[i % len(k)]) % 256 s[i], s[j] = s[j], s[i] i = 0 j = 0 output = [] for m in range(len(x)): i = (i + 1) % 256 j = (j + s[i]) % 256 s[i], s[j] = s[j], s[i] output.append(x[m] ^ s[(s[i] + s[j]) % 256]) return output a = [0x25, 0x7B, 0x5A, 0xD8, 0x9C, 0xFF, 0xC3, 0xA4, 0x95, 0xB7, 0x9D, 0x6E, 0x5F, 0x4D, 0x49, 0xFB, 0x78, 0x32, 0xB8, 0x17, 0x72, 0x01, 0x31, 0xFB, 0xC0, 0x58, 0x45, 0xCB, 0x5C, 0x3C, 0xDD, 0x00, 0x60, 0x87, 0x25, 0xB2, 0x44, 0xA6, 0xC5, 0xEA, 0x71, 0xAA, 0x9D, 0xA1, 0x05, 0x5F, 0xBD, 0x41, 0x28, 0x70, 0x30, 0x6B, 0x96, 0x24, 0x92, 0xA0, 0x9D, 0x92, 0x23, 0x79, 0x69, 0x2C, 0x1B, 0x1E, 0xEB, 0x69, 0x8F, 0x04, 0x10, 0x74, 0xBC] b = "tox2" c = deobfuscate(a, b) decoded_url = "".join(chr(i) for i in c) print(decoded_url)Google Threat Intelligence (GTI) Lookup:
The GTI lookup provides valuable context regarding the identified IOC:
Threat Actor: UNC5687, known for using MESHAGENT in phishing campaigns impersonating the Security Service of Ukraine.
Campaign: This specific URL is linked to a campaign spreading MESHAGENT via phishing emails with malicious links. The campaign involved a captcha page leading to the download of either a malicious MSI or EXE file.
Malware: The campaign delivers MESHAGENT, an open-source remote access framework, configured to communicate with C2 domains linked to a service called "AnonVNC."
Conclusion:
The analyzed PowerShell script is confirmed to be malicious, associated with a phishing campaign by UNC5687 distributing the MESHAGENT remote access tool.
Gemini identified that the script employs an XOR-based obfuscation algorithm that resembles RC4 to conceal the download URL. Recognizing this pattern, Gemini autonomously generates and executes a Python deobfuscation script within the Code Interpreter sandbox, successfully revealing the external resource.
With the URL in hand, Gemini then utilizes GTI function calling to query Google Threat Intelligence for further context. This analysis links the URL to UNC5687, a threat cluster known for using a remote access tool in phishing campaigns impersonating the Security Service of Ukraine.
As we’ve seen, the integration of these tools has strengthened Gemini’s ability to function as a malware analyst capable of adapting its approach to address obfuscation and gathering vital context on IOCs. By incorporating the Code Interpreter and GTI function calling, Gemini is better equipped to navigate complex samples by autonomously interpreting hidden elements and contextualizing external references.
While these are significant advancements, many challenges remain, especially given the vast diversity of malware and scenarios that exist in the threat landscape. We’re committed to making steady progress, and future updates will continue to enhance Gemini's capabilities, moving us closer to a more autonomous, adaptive approach in threat intelligence automation.
Volt Typhoon, a state-sponsored actor linked to the People’s Republic of China, has consistently targeted U.S. critical infrastructure with the intent to maintain persistent access. Tenable Research examines the tactics, techniques and procedures of this threat actor.
BackgroundThe cyberthreat landscape is always evolving, with security teams continuously facing new threats and attacks from a myriad of malicious groups, including ransomware gangs and small collectives chasing financial gain or even clout in the hacking community. Meanwhile, advanced persistent threat (APT) actors continue to loom in the shadows, carefully planning and executing their next attack. One such APT group is Volt Typhoon, a People’s Republic of China (PRC) state-sponsored actor. Volt Typhoon has been the subject of multiple cybersecurity advisories (CSA) from the Cybersecurity and Infrastructure Security Agency (CISA) along with joint partners, including international cybersecurity agencies, with warnings of the threat group targeting critical infrastructure in the U.S. and beyond. According to multiple reports, Volt Typhoon operates by pre-positioning themselves, actively working to maintain persistence in anticipation of conducting future attacks targeting U.S critical infrastructure, showing a specific interest in operational technology (OT) environments. Targeted sectors include communications, energy, transportation systems and water and wastewater systems. Volt Typhoon, historically associated with BRONZE SILHOUETTE, has been categorized under various aliases by different threat intelligence teams. These include Voltzite and Insidious Taurus in certain intelligence circles, DEV-0391 by Microsoft and UNC3236 by Mandiant (FireEye) before its formal attribution as Volt Typhoon. Additionally, CrowdStrike tracks the group under the name Vanguard Panda. As we examine the tactics, techniques and procedures (TTPs) employed by Volt Typhoon, we will also discuss known vulnerabilities associated with this threat actor.
AnalysisVolt Typhoon is a sophisticated threat group whose expertise lies in maintaining persistence for as long as possible. They achieve this by blending in with seemingly normal-looking traffic using living off the land (LOTL) techniques, meaning they’ll utilize an operating system’s (OS) built-in tools. Additionally, this group works using hands-on-keyboard attacks, rather than relying on automated malware scripts. This allows them to customize their attacks and conduct reconnaissance of a target in a stealthy manner. Volt Typhoon typically gains initial access to targets by exploiting unpatched vulnerabilities including zero-day flaws. In an effort to make traffic to their targets seem more benign, they utilize compromised small-office home-office (SOHO) routers and network devices as intermediary devices to proxy their traffic. This makes their network traffic seem legitimate and helps to avoid any geolocation firewall rules. For more information, read the blog Volt Typhoon: What State and Local Government Officials Should Know.
Source: Microsoft Threat Intelligence
Initial access
Volt Typhoon typically gains initial access to targeted systems by exploiting vulnerabilities in publicly exposed systems, specifically firewalls, VPN appliances and web servers. The group takes advantage of weak credentials and unpatched vulnerabilities in perimeter devices. Once inside, Volt Typhoon leverages legitimate tools already present within the system to avoid detection.
SOHO devices: unsecured, unpatched and misconfigured
Thanks to unpatched, end-of-life (EOL) or misconfigured network devices that are internet accessible, Volt Typhoon capitalizes on compromising these devices in order to proxy their traffic and utilize the devices as launch points for their attacks. This includes devices from ASUS, Cisco RV, Draytek Vigor, FatPipe IPVPN/MPVPN/WARP, Fortinet Fortigate, Netgear Prosafe and Zyxel USG. These network devices are widely used and many EOL devices have known and exploitable vulnerabilities with readily available exploit code. Others may be misconfigured, leaving administrative portals internet accessible and utilizing default credentials. Once compromised, these devices are then implanted with the KV Botnet malware.
Living-off-the-land tactics
Rather than deploying custom malware or tools, Volt Typhoon uses native Windows tools like cmd.exe, netsh and PowerShell to execute commands and conduct lateral movement across compromised networks. By avoiding the use of external tools, the group minimizes their digital footprint, making detection through traditional signature-based antivirus systems more challenging. Many of these commands are not logged by the OS and, in cases where logging is enabled, the threat actors can rotate or delete the logs to hide evidence of the commands they executed.
Credential harvesting and lateral movement
Volt Typhoon utilizes credential dumping techniques to extract valuable login information from compromised systems. Tools like Mimikatz are deployed to extract credentials from memory, which are used to move laterally across the network. Remote desktop protocol (RDP) and other remote desktop tools are often used to facilitate further access to internal systems.
Once inside, Volt Typhoon maintains persistence by modifying legitimate software and using the built-in Windows Task Scheduler to establish scheduled tasks for regular access, ensuring long-term surveillance capabilities. The threat actor focuses on exfiltrating sensitive data and monitoring critical infrastructure communications.
Volt Typhoon has been observed creating a shadow copy of ntds.dit, the main Active Directory (AD) database. This file contains password hashes which the threat actor can attempt to crack offline and utilize any stolen passwords to continue exploitation of a network. Because they rely on using built-in OS commands, they are able to keep a low profile and evade endpoint detection and response (EDR) solutions in what seems like benign system activity.
Known CVEs commonly exploited by Volt Typhoon
While not an exhaustive list, the table below highlights some of the CVEs known to have been exploited by Volt Typhoon.
CVEDescriptionCVSSv3 ScoreVPRCVE-2021-27860FatPipe WARP, IPVPN, MPVPN Unrestricted Upload of File with Dangerous Type8.87.4CVE-2021-40539Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability9.89CVE-2022-42475Fortinet FortiOS and FortiProxy Heap-Based Buffer Overflow Vulnerability9.88.9CVE-2023-27997Fortinet FortiOS and FortiProxy Heap-Based Buffer Overflow Vulnerability9.89CVE-2024-39717Versa Director File Upload Vulnerability7.28.4*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on November 19 and reflects VPR at that time.
Unpatched VPNs targeted — a recurring trend
Volt Typhoon’s exploitation of unpatched vulnerabilities in Virtual Private Network (VPN) solutions is part of a broader trend seen across many APT groups. Threat actors leverage these VPN flaws to bypass security controls and establish long-term access within networks. Their focus on exploiting unpatched VPNs mirrors tactics of other state-sponsored actors, such as the Iranian threat actors detailed in the AA24-241A Joint Cybersecurity Advisory, who similarly target and exploit known VPN vulnerabilities to gain initial access and carry out espionage or disruptive campaigns. This recurring pattern underscores the critical need for organizations, particularly those in critical infrastructure, to prioritize patch management and ensure robust security for VPN systems.
Proof of conceptThe availability of proof-of-concept (PoC) exploits for the vulnerabilities exploited by Volt Typhoon varies across different CVEs. For CVE-2021-27860, there is no known public PoC currently available. In contrast, CVE-2021-40539, a vulnerability in Zoho ADSelfService Plus, has a partial PoC provided by Synacktiv, both in the form of a technical analysis and a working exploit shared on GitHub. This resource offers detailed guidance on how to achieve remote code execution by manipulating requests to the vulnerable service.
For CVE-2022-42475 and CVE-2023-27997 impacting Fortinet’s FortiOS and FortiProxy SSL-VPN systems, public PoCs are readily available on platforms like GitHub (CVE-2023-27997 for example) and have been widely shared on X (formerly Twitter). These PoCs demonstrate how attackers can exploit heap-based buffer overflows to achieve remote code execution, highlighting the criticality of patching affected systems.
Lastly, there is no publicly available PoC for CVE-2024-39717, a newly disclosed file upload vulnerability in Versa Director.
The varying availability of these PoCs stresses the need for organizations to proactively patch and monitor for signs of exploitation.
SolutionEach of the vulnerabilities flagged as targeted by Volt Typhoon have patches and mitigations released by the respective vendors. We recommend reviewing each of the vendors’ advisories shown below:
Tenable offers several solutions to help identify potential exposures and attack paths as well as identifying systems vulnerable to the CVEs mentioned in this blog. For a holistic approach, we recommend Tenable One. The Tenable One Exposure Management Platform extends beyond traditional vulnerability management, which concentrates on the discovery and remediation of publicly disclosed CVEs. A foundational part of any exposure management program, Tenable One includes data about configuration issues, vulnerabilities and attack paths across a spectrum of assets and technologies — including identity solutions (e.g., Active Directory); cloud configurations and deployments; and web applications.
Tenable Plugin Coverage
A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages for CVE-2021-40539, CVE-2021-27860, CVE-2022-42475, CVE-2023-27997 and CVE-2024-39717. These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.
Tenable attach path techniques
MITRE ATT&CK IDDescriptionTenable attack path techniquesT1003.001OS Credential Dumping: LSASS MemoryT1003.001_WindowsT1003.003OS Credential Dumping: NTDST1003.003_WindowsT1012Query RegistryT1012_WindowsT1059.001Command and Scripting Interpreter: PowerShellT1059.001_WindowsT1059.003Command and Scripting Interpreter: Windows Command ShellT1059.003_WindowsT1069.001Permission Groups Discovery: Local GroupsT1069.001_WindowsT1069.002Permission Groups Discovery: Domain GroupsT1069.002_WindowsT1078.002Valid Accounts: Domain AccountsT1078.002_WindowsT1053Scheduled Task/Job: Scheduled TaskT1053.005_WindowsT1110.003Brute Force: Password SprayingT1110.003_WindowsT1518Software DiscoveryT1518.001_WindowsTenable Identity Exposure Indicators of Exposure and Indicators of Attack
MITRE ATT&CK IDDescriptionIndicatorsT1003OS Credential DumpingC-ADM-ACC-USAGET1003.001OS Credential Dumping: LSASS MemoryC-PROTECTED-USERS-GROUP-UNUSEDI-ProcessInjectionLsassT1003.003OS Credential Dumping: NTDSI-NtdsExtractionT1069.001Permission Groups Discovery: Local GroupsI-ReconAdminsEnumT1110Brute ForceC-PASSWORD-HASHES-ANALYSISC-PASSWORD-POLICYMISSING-MFA-FOR-NON-PRIVILEGED-ACCOUNTMISSING-MFA-FOR-PRIVILEGED-ACCOUNTT1110.003Brute Force: Password SprayingI-PasswordSprayingTenable Web App Scanning
MITRE ATT&CK IDDescriptionIndicatorsT1190Exploit Public-Facing ApplicationT1190_WASGet more informationJoin Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.