Tag Archive for: alter

Hackers Alter Cobalt Strike Beacon to Target Linux Environments


A significant part of hacking consists of diverting the function of existing systems and software, and hackers often use legitimate security tools to perform cyber attacks.

Pentesting tool Cobalt Strike has been one such target, but what happened recently with a Red Hat Linux version of the Cobalt Strike Beacon is worthy of note. According to cybersecurity researchers, it could be the work of an advanced threat actor.

How is Cobalt Strike Beacon Used in Cyberattacks?

Cobalt Strike is an exploitation platform. The idea is to emulate attacks from advanced adversaries and potential post-exploitation actions.

You can see it as a framework used by security teams for test purposes and threat groups. The software creates connections (using Cobalt Strike servers) to attack networks. In addition, it contains tons of components that are pretty convenient and customizable.

The beacon is the client. That’s why attackers have to install it on the targeted machine, which usually happens after exploiting a vulnerability. If the attack succeeds, hackers can maintain a persistent connection between the beacon and Cobalt Strike rogue servers, sending data periodically.

A New Variant of Cobalt Strike

Cobalt Strike Beacon Linux enables emulation of advanced attacks to a network over HTTP, HTTPS, or DNS.

It provides a console where you can open a beacon session and enter specific commands. The console returns command output and other information. Users get access to a status bar and various menus that extract information and interact with the target’s system.

Beacon’s shell commands are handy for performing various injections, remote command executions, and unauthorized uploads and downloads.

The skilled hackers who implemented this Linux variant achieved tremendous success. Their version has a scary ability to remain undetected. It can get disk partitions, list, write and upload files, and execute commands as well.

The malware has been renamed Vermilion. The name vermillion came from the Old French word vermeillon, which was derived from vermeil, from the Latin vermiculus, the diminutive of the Latin word vermis, or worm.

How Does a Beacon Attack Work?

The Cobalt Strike’s Command and Control…

Source…

Amazon Tells Ukraine Publication To Alter Its Article After It Links The Company To Ring’s Problematic Ukraine Branch

An extremely-problematic wing of an extremely-problematic company is back in the news. Ring’s Ukraine division made headlines last fall when the presence of a “Head of Facial Recognition Tech” in the Ukraine office appeared to contradict Ring’s claims it was not interested in adding facial recognition to its cameras.

More disturbing news surfaced earlier this month, when it was discovered this office had allowed its employees to view Ring camera footage uploaded by users. Ring doesn’t just produce doorbell cameras. It also sells in-home cameras, making this revelation particularly worrying.

Beginning in 2016, according to one source, Ring provided its Ukraine-based research and development team virtually unfettered access to a folder on Amazon’s S3 cloud storage service that contained every video created by every Ring camera around the world. This would amount to an enormous list of highly sensitive files that could be easily browsed and viewed. Downloading and sharing these customer video files would have required little more than a click. The Information, which has aggressively covered Ring’s security lapses, reported on these practices last month.

Not only did the R&D team have complete access to customers’ recordings, so did Ring’s US-based engineers and executives. And who knows how many other people have accessed these recordings illicitly? When this access was granted to an untold number of Ring employees, Ring did not encrypt uploaded recordings. The company apparently felt encryption was too expensive to implement and would possibly limit revenue opportunities for the company as it aggressively moved into the home security market.

It turns out the company was using customers’ footage to train its AI to recognize faces and other objects. This would be the same facial recognition Ring swears it isn’t going to be implementing anytime soon.

Apparently, this abuse of trust has resulted in growth opportunities for Ring-Ukraine. A recent article by Ukranian publication Vector stated the office would be lending its expertise to other Amazon products, which possibly includes Rekognition, Amazon’s homegrown facial recognition program.

But that story was buried by Amazon PR shortly after it appeared, according to Sam Biddle of The Intercept.

I asked multiple Amazon representatives and Ring’s head of communications about the Vector article, including specifically what were the “many other Amazon projects” Ring’s Ukrainian staff now worked on.

Although Amazon ignored repeated requests for comment and Ring refused to discuss the subject on the record, it seems that the company did take action: Within hours of my inquiries, the text of the Vector piece was quietly edited to remove references to Amazon. Most notably, the entire quoted sentence about the “many other Amazon projects” the Kyiv office was working on was excised.

The author of the story told The Intercept he had nothing to do with the belated deletion. In fact, he was not aware of any editing until The Intercept brought it to his attention. An email from Vector’s editor-in-chief explained the situation, although not all that satisfactorily.

We published a news about rebranding, later pr-manager of Ring Ukraine called me and asked to take Amazon mention out from the article. Since I had a good relationship with manager, the article got just several dozens of views and I understood that everyone know that Ring is part of Amazon anyway, I didn’t even asked questions, said ok and took Amazon part out

It appears Amazon doesn’t want people to know it has given a problematic division even more responsibility. It also may be trying to head off another Ring-related PR nightmare by removing any text that might suggest Ring customer recordings are being used to train facial recognition software used by government agencies.

But it’s too late to change public perception. The scrubbing may keep Amazon from being linked to unfettered access to Ring camera recordings in search results, but there’s no separating Amazon from Ring. And there’s nothing here that suggests either company is moving away from leveraging user-generated content to fine-tune AI for the customers they really want: law enforcement agencies.

Permalink | Comments | Email This Story

Techdirt.

‘Peekaboo’ zero-day lets hackers view and alter surveillance camera footage

"Peekaboo" zero-day lets hackers view and alter surveillance camera footage

Hundreds of thousands of security cameras are believed to be vulnerable to a zero-day vulnerability that could allow hackers to spy on feeds and even tamper with video surveillance recordings.

Read more in my article on the Bitdefender BOX blog.

Graham Cluley