Tag Archive for: agent

New Agent Tesla Variant Uses Excel Exploit to Infect Windows PC

/in


The new Agent Tesla variant exploits CVE-2017-11882/CVE-2018-0802 vulnerability to execute the malware. 

Key Findings

  • A new variant of the Agent Tesla malware family is being used in a phishing campaign.
  • The malware can steal credentials, keylogging data, and active screenshots from the victim’s device.
  • The malware is spread through a malicious MS Excel attachment in phishing emails.
  • The malware exploits an old security vulnerability (CVE-2017-11882/CVE-2018-0802) to infect Windows devices.
  • The malware ensures persistence even when the device is restarted or the malware process is killed.

New Agent Tesla Variant Detected in Malicious Phishing Campaign

FortiGuard Labs threat researchers have detected a new variant of the notorious Agent Tesla malware family used in a phishing campaign. Report author Xiaopeng Zhang revealed that the malware can steal “credentials, keylogging data, and active screenshots” from the victim’s device. Stolen data is transferred to the malware operator through email or SMTP protocol. The malware mainly infects Windows devices.

For your information, Agent Tesla malware is also offered as a Malware-as-a-Service tool. The malware variants use a data stealer and .NET-based RAT (remote access trojan) for initial access.

How Phishers Trap Users?

This is a phishing campaign, so initial access is gained through a phishing email designed to trick users into downloading the malware. The email is a Purchase Order notification that asks the recipient to confirm their order from an industrial equipment supplier.

The email contains a malicious MS Excel attachment titled Order 45232429.xls. This document is in OLE format and contains crafted equation data that exploits an old security RCE vulnerability tracked as CVE-2017-11882/CVE-2018-0802 instead of using a VBS macro.

This vulnerability causes memory corruption in the EQNEDT32.EXE process and allows arbitrary code execution through ProcessHollowing method, in which a hacker replaces the executable file’s code with malicious code.

A shellcode download/execute the Agent Tesla file (dasHost.exe) from this link “hxxp://2395.128.195/3355/chromium.exe” onto the targeted…

Source…

Analyst Notes – IC Consult & ICSynergy, Open Policy Agent and Consumer Identity Market Explosion

/in


A few items that have popped into The Cyber Hut inboxes over the past week relating to funding and vendor news.

iC Consult Group Completes Acquisition of ICSynergy

iC Consult, a European consulting firm focused specifically in the areas of identity and access management announced they had acquired US integrator ICSynergy. ICSynergy has been around since 2000 and is based out of Texas. They provide both IAM and PAM advisory services and LinkedIn lists 65 employees. Whilst an advisory outfit, they do have a “product” focus in the form of IdentityRM. This is a relationship management tool that looks to solve the complex interactions often found in the B2X business models – which perhaps many classic IAM platforms fail to deliver against. IC Consult is the bigger of the 2 organisations by a magnitude, with nearly 300 employees according to LinkedIn and a broad focus across both B2E and B2C identity deployments.

The Challenges of OPA?

OPA (Open Policy Agent) has been around for a number of years and has seemingly taken the lead in the popularity stakes when it comes to microservices protection and “policy-as-code” style architectures. The Cyber Hut recently did a technology test drive of the project with its highly capable Rego language and deployment capabilities. However, as the number of deployments rocket, a secondary overlay industry is emerging, with numerous services providing user interface, policy management and governance services based on OPA.

See PlainID, Cloudentity, Scaled Access as some examples, but that is by no means the entire list with of course the maintainers of OPA – Styra – providing an entire capability suite to support OPA.

A recent blog by authorization startup Aserto amplifies the talk track surrounding how policy code needs to be version controlled and distributed. An interesting secondary problem for those building more complex architectures with codified access control.

Consumer IAM market to reach $17.6 billion by 2026

Apparently the CIAM is going to be worth $17.6 billion in 4 years time. I can’t argue either way and I’m never really a fan of futurism when it comes to total addressable market sizes, however, there is no denying that…

Source…

Hackers in Cox Communications Data Breach Impersonated Company’s Support Agent to Access Customer Information

/in


Atlanta-based digital cable television, internet, and phone services provider Cox Communications has disclosed a data breach that exposed customer information.

Cox said it learned on October 11, 2021, that a hacker impersonated a support agent and gained access to some customers’ personal information.

With over 20,000 employees and 6.5 million customers, Cox ranks as the third-largest cable television provider and seventh telephone carrier in the United States.

The October data breach was the second cybersecurity incident, six months after the ransomware attack that affected Cox Media Group (CMG) in June 2021.

Hackers accessed personally identifiable information (PII) in the Cox data breach

Cox Communications said that the hackers impersonated a support agent and accessed customer account information. The hacker accessed the customer’s name, address, telephone number, username, PIN code, Cox account number, Cox.net email address, account security question and answer, and/or the types of digital services subscribed.

“On October 11, 2021, Cox learned that an unknown person(s) had impersonated a Cox agent and gained access to a small number of customer accounts,” Cox said.

Subsequently, the company launched an internal investigation, took additional steps to secure the affected customer accounts, and notified the relevant law enforcement agencies.

However, the data breach notification did not clarify whether customers’ financial information or passwords were accessed.

Similarly, the company did not disclose whether the data breach affected its partners’ operations. Usually, threat actors target upstream vendors like Cox to compromise their downstream customers through supply chain attacks.

Although subscribers’ financial information was likely not affected, the company advised its customers to monitor their financial accounts for suspicious activity.

Similarly, they should change their passwords on other online accounts that share passwords with the compromised Cox accounts.

Paul Laudanski, Head of Threat Intelligence at Tessian said the Cox Communications data breach highlighted the risk of password reuse. Additionally, he noted that support…

Source…

Elastic Announces the Launch and General Availability of Limitless XDR in Elastic Security, General Availability of Elastic Agent, and Centralized Management of Elastic Enterprise Search | Business

/in


MOUNTAIN VIEW, Calif.–(BUSINESS WIRE)–Aug 3, 2021–

Elastic (NYSE: ESTC) (“Elastic”), the company behind Elasticsearch and the Elastic Stack, today announced new capabilities and enhancements across its Elastic Enterprise Search, Observability, and Security solutions, which are built in a single platform – the Elastic Stack.

New capabilities include the general availability of Elastic Agent, a single, unified agent that simplifies the management and monitoring of data from a growing volume of diverse sources, centrally managed in Fleet to give users broad visibility and control over their environments.

With Elastic Agent, Elastic Security users benefit from integrated ransomware and malware prevention, as well as remediation capabilities directly from the endpoint. Elastic Observability users gain better visibility across their applications and infrastructure, as well as secure, centralized agent management.

Elastic announces the launch and general availability of the industry’s first free and open Limitless Extended Detection and Response (XDR). Part of Elastic Security, Elastic Limitless XDR modernizes security operations by unifying the capabilities of security information and event management (SIEM), security analytics, and endpoint security on one platform.

Additionally, Elastic Enterprise Search can now be centrally managed in Kibana, the single management interface across all Elastic solutions.

Other key updates across the Elastic Stack, Elastic Cloud, and solutions include:

Elastic Stack and Elastic Cloud

Elastic announces the general availability of Elastic Agent with centralized management in Elastic Fleet. First released in beta in 7.9 and now generally available in 7.14, Elastic Agent serves as a single unified agent to make it simple for customers and users to onboard and manage new data sources fast, while also protecting their endpoints from cyber security threats. Elastic Agent is an Elastic Stack capability that delivers value to users across Elastic Security and Elastic Observability solutions.

Elastic also announces that support for Microsoft Azure Private Link is now generally available. Customers can now privately and…

Source…