Security Boulevard

via the comic & dry wit of Randall Munroe, creator of XKCD

Permalink

The post Randall Munroe’s XKCD ‘Vice President First Names’ appeared first on Security Boulevard.

Torrance, Calif., Aug. 12, 2024, CyberNewsWire — Criminal IP, an expanding Cyber Threat Intelligence (CTI) search engine from AI SPERA, has recently completed its technology integration with Maltego, a global all-in-one investigation platform that specializes in visualized analysis … (more…)

The post News alert: Criminal IP and Maltego team up to broaden threat intelligence data search first appeared on The Last Watchdog.

The post News alert: Criminal IP and Maltego team up to broaden threat intelligence data search appeared first on Security Boulevard.

In today’s rapidly evolving digital landscape, ensuring the security of web applications is essential to ensure revenue growth and a positive business reputation. One critical aspect of this security is the management of SSL/TLS certificates. The AppViewX AVX ONE platform is a comprehensive solution designed to automate and streamline the end-to-end lifecycle of digital certificates […]

The post AppViewX Automated Certificate Management for PingAccess appeared first on Security Boulevard.

Authors/Presenters:Feng Dong, Liu Wang Xu Nie, Fei Shao, Haoyu Wang, Ding Li, Xiapu Luo, Xusheng Xiao

Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access. Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.

Permalink

The post USENIX Security ’23 – DISTDET: A Cost-Effective Distributed Cyber Threat Detection System appeared first on Security Boulevard.

Threat Intelligence Report

Date: August 12, 2024

Prepared by: David Brunsdon, Threat Intelligence - Security Engineer, HYAS

Threat Actors Exploiting Legitimate Services to Disguise Traffic

Recently, the HYAS Threat Intelligence team has noticed an increase in malware communicating with subdomains under the ply.gg domain. The domain is a part of Playit.gg’s infrastructure, which is a service for computer gamers used to facilitate online play. Although intended for games like Minecraft, it provides a free domain name and a reverse proxy, which is a tool a threat actor can use to hide their malicious infrastructure.

This article demonstrates how threat actors will use legitimate services to disguise their traffic and hide their true location from investigators. It also draws attention to the ply.gg domain as a potential threat vector for malware-based attacks on organizations and individuals.

About Reverse Proxies

A reverse proxy is a server that sits between client devices and a server, intercepting requests from clients and forwarding them to the intended server. It functions as an intermediary that enhances the performance, security, and reliability of services.

Typical Uses of Reverse Proxies

1. Load Balancing:

Reverse proxies distribute incoming traffic across multiple servers to ensure no single server becomes overwhelmed. This improves the availability and reliability of applications, particularly those experiencing high traffic volumes.

2. Enhanced Security:

By hiding the backend servers' IP addresses, reverse proxies add an additional layer of security. They can also block malicious requests, protect against Distributed Denial-of-Service (DDoS) attacks, and serve as a first line of defense in a network security strategy.

3. SSL Termination:

Reverse proxies can manage SSL/TLS encryption and decryption, relieving backend servers from the computational load of handling these tasks. This is particularly useful for improving the performance of HTTPS websites.

4. Web Acceleration:

By caching content, reverse proxies can reduce the load on backend servers and speed up response times for users. This is beneficial for delivering static content such as images, stylesheets, and scripts more efficiently.

5. Content Filtering:

Reverse proxies can inspect and filter incoming requests to ensure they meet predefined criteria. This is useful for content filtering, enforcing security policies, and preventing access to restricted areas.

6. Compression:

They can compress outbound data to reduce the amount of bandwidth used, which can be particularly beneficial for users with slow internet connections.

Reverse Proxies in Malicious Activities

While reverse proxies serve many legitimate purposes, they can also be exploited by threat actors to conceal malicious activities. Cybercriminals use reverse proxies to:

• Hide Malicious Infrastructure: By routing traffic through a reverse proxy, attackers can mask the true location of their command-and-control (C2) servers, making it difficult for investigators to trace and shut them down.
• Bypass Security Measures: Reverse proxies can help bypass IP-based security controls, allowing attackers to evade detection and maintain persistent access to compromised systems.
• Proxy for Anonymity: Using reverse proxies helps cybercriminals maintain anonymity by preventing the exposure of their actual IP addresses during malicious campaigns.

By leveraging services like Playit.gg, threat actors can blend their traffic with legitimate gaming traffic, complicating efforts to detect and block malicious communications. Recognizing and understanding the use of reverse proxies is crucial for enhancing cybersecurity measures and thwarting such threats.

How Threat Actors Could Utilize Playit.gg

Threat actors could exploit the Playit.gg service to hide their malicious infrastructure and facilitate Command and Control (C2) operations. Here's a step-by-step breakdown of how this can be achieved:

1. Account Creation and Verification:

• The threat actor creates an account on Playit.gg by providing an email address.
• The email address is verified through a confirmation process, granting access to the service.

2. Download and Setup:

• An application is downloaded from Playit.gg and installed on a server controlled by the threat actor.
• The application is linked to the Playit.gg account, often requiring verification through the website.

3. Establishing and Hardening the C2 Server:

• The C2 server is configured to ensure it can only be accessed by the operators and through the Playit.gg proxy network.
• Security measures, such as IP allowlisting and authentication, are implemented to harden the C2 server against unauthorized access.

4. Configuring the Malware:

• The port number and the assigned domain name (provided by Playit.gg) are entered into the malware's configuration. These details are embedded in the malware, which is then deployed to victim devices.

5. Routing Malware Communications:

• Once the malware is active on victim devices, it initiates communication with the C2 server.
• All communications between the malware and the C2 server are routed through the Playit.gg proxy network.
• This setup masks the true location of the threat actor's server, making it challenging for defenders to trace and block the malicious infrastructure.

By leveraging Playit.gg, threat actors can seamlessly integrate their C2 infrastructure within legitimate gaming traffic. This not only obfuscates their activities but also complicates detection efforts by cybersecurity professionals, as the traffic appears to come from a well-known and trusted service.

(Image: Warning during configuration of playit.gg service)

Playit.gg clearly recognizes the potential for misuse on the platform and expressly forbids it from being used in such a way.

Recommendations

1. Restrict Access to the ply.gg Domain:
Organizations should consider blocking access to the ply.gg domain at the network level. This can be achieved through protective DNS solutions, or firewall rules to prevent potential malware communications from reaching their command-and-control (C2) servers.

2. Monitor Network Traffic for Anomalies:
Regularly monitor network traffic for any unusual or unauthorized connections to the ply.gg domain. Implementing advanced threat detection systems can help identify and alert on suspicious traffic patterns associated with C2 communication.

3. Implement Threat Intelligence Feeds:
Incorporate threat intelligence feeds that include indicators of compromise (IoCs) related to ply.gg and other similar domains. This can help in detecting and blocking known malicious activities associated with these services.

4. Educate Employees on Potential Threats:
Raise awareness among employees about the risks of accessing unauthorized or suspicious domains, including those related to gaming services like Playit.gg. Training should focus on recognizing phishing attempts and avoiding the installation of unauthorized software.

5. Enhance Endpoint Security:
Ensure that endpoint protection solutions are up-to-date and capable of detecting and blocking malware that may attempt to use ply.gg for C2 communication. Advanced endpoint detection and response (EDR) solutions can provide additional layers of protection.

6. Engage in Regular Security Audits:
Conduct regular security audits and vulnerability assessments to identify any weaknesses in your network that could be exploited by threat actors using reverse proxies like those provided by Playit.gg.

7. Collaborate with Threat Intelligence Providers:
Work closely with threat intelligence providers like HYAS, to stay informed about emerging threats and to receive timely updates on domains and services being exploited by cybercriminals.

By implementing these measures, organizations can significantly reduce the risk of malware using the ply.gg domain as a vector for attacks, thereby enhancing their overall cybersecurity posture.

Recent Example IOCs

Domain: ads-jeremy.gl.at.ply[.]gg
MD5: 36a75d896d48d43a54a8792fd92f3912
Family: asyncrat

Domain: paris-itself.gl.at.ply[.]gg
MD5: 9b2b8770c462d91bcf4d915cbea54202
Family: asyncrat

Domain: tax-sri.gl.at.ply[.]gg
MD5: b0198f2d25536cb8efb928857f696c1b
Family: nanocore

Domain: dead-he.gl.at.ply[.]gg
MD5:ad0314c9588f196a9a752b6732cf9612
Family: xworm

Domain: western-requires.gl.at.ply[.]gg
MD5:553326c1417f4220586311bae847d37b
Family: xworm

Domain: to-reconstruction.gl.at.ply[.]gg
MD5: ca312e982c9e4e5664ef45e8cb2be9cf
Family: xworm

Disclaimer: This Threat Intelligence Report is provided “as is” and for informational purposes only. HYAS disclaims all warranties, express or implied, regarding the report’s completeness, accuracy, or reliability. You are solely responsible for exercising your own due diligence when accessing and using this Report's information. The analyses expressed in this Report reflect our current understanding of available information based on our independent research using the HYAS Insight platform. The Report’s inclusion of any companies, organizations, or ASNs does not imply any wrongdoing on their part; it is simply an indication of where digital threat activities have been observed. HYAS reserves the right to update the Report as additional information is made known to us.

Learn More About HYAS Insight

An efficient and expedient investigation is the best way to protect your enterprise. HYAS Insight provides threat and fraud response teams with unparalleled visibility into everything you need to know about the attack.This includes the origin, current infrastructure being used and any infrastructure.

Read how the HYAS Threat Intelligence team uncovered and mitigated a Russian-based cyber attack targeting financial organizations worldwide.

Want more threat intel on a weekly basis?
Follow HYAS on LinkedIn
Follow HYAS on X

Sign up for the (free!) HYAS Insight Intel Feed

Read Recent HYAS Threat Reports:

The Prevalence of DarkComet In Dynamic DNS
Caught in the Act: StealC, the Cyber Thief in C
HYAS Protects Against Polyfill.io Supply Chain Attack with DNS Safeguards
StealC & Vidar Malware Campaign Identified

More from HYAS Labs

Polymorphic Malware Is No Longer Theoretical: BlackMamba PoC.
Polymporphic, Intelligent and Fully Autonomous Malware: EyeSpy PoC.

The post HYAS Investigates Threat Actors Hidden In Gaming Services appeared first on Security Boulevard.

Get the essential checklist for POPIA compliance. Learn key requirements and steps to meet South Africa's data protection law.

The post How to Achieve POPIA Compliance: Complete Checklist appeared first on Scytale.

The post How to Achieve POPIA Compliance: Complete Checklist appeared first on Security Boulevard.

The Trump campaign is claiming a hack is the work of Iranian operatives, adding to expanding election-interference campaigns that also include China and Russia, which the federal government calls the "predominant threat to U.S. elections."

The post Trump Campaign Hack Points to Growing U.S. Election Threats appeared first on Security Boulevard.

Identifying and addressing underlying issues and their root causes can lead to risk reduction, cost savings and better overall performance of a vulnerability management program.

The post The Value in Root Cause Analysis for Vulnerability Management appeared first on Security Boulevard.

Torrance, United States / California, 12th August 2024, CyberNewsWire

The post Criminal IP and Maltego Collaborate to Broaden Threat Intelligence Data Search appeared first on Security Boulevard.

A global survey of 300 IT and security professionals suggests that while security budgets are increasing the way funding is being allocated is shifting as organizations look to automate workflows.

The post Survey: Cybersecurity Teams Investing in Automation to Reduce Noise Levels appeared first on Security Boulevard.

Chief information security officers (CISOs) are struggling to manage cybersecurity effectively due to a lack of strategic support from other C-suite executives, according to a LevelBlue survey of 1,050 C-suite and senior executives.

The post AI Integration, Budget Pressures Challenge CISOs appeared first on Security Boulevard.

In today’s digital world, data exfiltration is a stealthy threat that often flies under the radar.

The post How Outdated Security Measures Can Devastate Your Organization appeared first on Seceon.

The post How Outdated Security Measures Can Devastate Your Organization appeared first on Security Boulevard.

Apache Tomcat is a widely used open-source web server and servlet container, but like any software, it is not immune to vulnerabilities. Canonical has released security updates to address multiple Tomcat vulnerabilities across different releases, including Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, Ubuntu 18.04 ESM, and Ubuntu 16.04 ESM. These vulnerabilities, if exploited could lead […]

The post Addressing Tomcat Vulnerabilities in End-of-Life Ubuntu Systems appeared first on TuxCare.

The post Addressing Tomcat Vulnerabilities in End-of-Life Ubuntu Systems appeared first on Security Boulevard.

I recently wrote about reliable software. I also usually write about cybersecurity and major incidents. Today’s story intertwines both, in a situation so far reaching that, if you tried to write it as the script of the next Bond movie with a villain scheming to cause worldwide chaos, it would fit perfectly. Let’s look at […]

The post Crowdstrike, or “How to Own the Planet” appeared first on TuxCare.

The post Crowdstrike, or “How to Own the Planet” appeared first on Security Boulevard.

LAS VEGAS – Here’s what I discovered last week here at Black Hat USA 2024: GenAI is  very much in the mix as a potent X-factor in cybersecurity.

Related: Prioritizing digital resiliency

I spoke with over three dozen cybersecurity … (more…)

The post MY TAKE: Black Hat USA 2024’s big takeaway – GenAI factors into the quest for digital resiliency first appeared on The Last Watchdog.

The post MY TAKE: Black Hat USA 2024’s big takeaway – GenAI factors into the quest for digital resiliency appeared first on Security Boulevard.

Authors/Presenters:Yisroel Mirsky, George Macon, Michael Brown, Carter Yagemann, Matthew Pruett, Evan Downing, Sukarno Mertoguno, Wenke Lee

Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access. Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.

Permalink

The post USENIX Security ’23 – VulChecker: Graph-based Vulnerability Localization in Source Code appeared first on Security Boulevard.

Carter Schoenberg is a trusted security expert who has vast experience in the public and private sectors. Here’s his guidance on what works and what doesn’t with the cybersecurity industry.

The post Book Review: ‘Why Cybersecurity Fails in America’ appeared first on Security Boulevard.

See how a SafeBreach Labs researcher bypassed the anti-tampering mechanism of a leading EDR to execute malicious code within one of the EDR's own processes and altered the mechanism to gain unique, persistent, and fully undetectable capabilities.

The post QuickShell: Sharing Is Caring about an RCE Attack Chain on Quick Share appeared first on SafeBreach.

The post QuickShell: Sharing Is Caring about an RCE Attack Chain on Quick Share appeared first on Security Boulevard.

It's 2009 and I just stumbled upon the extremely sophisticated Xedant Human Emulator (XHE) (hxxp://humanemulator.info) which basically automates human interactions with Web and online properties to the point of sophisticated and was in a way heavily advertised on various cybercrime-friendly forum communities back in the day.

Primary project's contact points:

[email protected]

ICQ:  420-444-071

WebMoney: Z898663059839

Some of its features include:

submission of information to the web - for example: registration in various directories and sites, adding posts to the forum, etc.

site audit (validity check);

collecting data from other sites;

emulation of traffic to the site;

automation of Internet surfing tasks;

checking website content updates;

website performance testing;

autologin, auto-posting on several forums;

management of advertising companies in Google Adwords;

cheating counters, auto clicking;

transferring a website/blog from one engine to another;

integration of offline and online applications;

working with AJAX or closed areas of sites;

complete human emulation, down to mouse movement and keystrokes;

Sample screenshots:

If it's everything that you ever wanted in the context of emulating a human or human actions targeting a specific Web site or web property including all the joys of outsourced as always CAPTCHA recognition in a cost-effective manner this is the tool that you really need in 2009.

The post Emulating Humans for Cybercrime Purposes appeared first on Security Boulevard.

Кой е човека който дава определение на това какво е циганин? Ако си циганин да ти еба майката путката мръсна и да не си измисля работи от на майка ти путката мръсна мизерстващи цигани такива. Специален поздрав от отдел "Ахахахаха не се притеснявайте много ама това е обида". Настройване на честотите на тези, които наистина са го направили, тези, които наистина го правят, и на тези, които наистина мислят, че го правят. Циганските крале, които ги разрешават, са тези, които наистина го правят. Хуят който разрешава майка ти е хуят който майка ти позволява на цигански циганин като теб псевдо-европейско мизерстващ циганин такъв. И циганите да "прередиш" майка ти циганската няма да я прецениш. Ти си просто един тъп ниско платен необразован безсперспективен безсмислен необразован и ниско платен циганин на който нито майка му нито безспеспективното му образование е признато някъде другаде освен в тоалетната. В тоалетната с огледало където когато сереш гледаш себе си и си мислиш дори и без да мислиш защото си тъп за лайното което си. А то е? Безсмислено като "теб". Неудачно и безсперспектовно унужаващо лайно за обществото което си. Едно лайно. Да направим състезание. Купете си огледало и се изсерете пред него. Сега погледнете себе си. Това сте вие. Сега да направим друго. Пред майчиното изсиране на майка ти нечистоплътната и мизерстваща гъзообразия и на майка ти мизерстващите простотий това си ти. Един мизерстващ мозъчно некадърен лайнясал неудачен мизерстващ циганин. На майка ти мизерстващата цицеща педерастия е на майка ти живота и нейната педерастия. Значи? Поздрави на теб. Нейния неудачен необразован ниско платен и безспеспективен наудачен цигански нещастник който те наричат по име? Какво ти е името? Ти си просто един тъп циганин в илюзията на майка ти циганската и в собствената си циганска илюзия. Поздрави на всички. Явор Колев е най-големия и издънен педераст в Република България начело с най големият педераст в Република България Бойко Борисов. Да ми целуване асматичните задница ама да ги изселвате много некадърни и безработни улични педерастки копелета такива и дано ви се изсерат през газъ и да ви излезе през носъ и да ви излезе през носъ провинциални селски копеленца цигански некадърдни копелета такъва.

The post Специални Поздрави За Всички Който "Го Правят" В България appeared first on Security Boulevard.