recentpopularlog in
« earlier  
The Newest AI-Enabled Weapon: ‘Deep-Faking’ Photos of the Earth - Defense One
China is the acknowledged leader in using an emerging technique called generative adversarial networks to trick computers into seeing objects in landscapes or in satellite images that aren’t there, says Todd Myers, automation lead for the CIO-Technology Directorate at the National Geospatial-Intelligence Agency.

“The Chinese are well ahead of us. This is not classified info,
deepfake  ai  china  gan 
10 days ago
The Chernobyl Disaster May Have Also Built a Paradise | WIRED
The Exclusion Zone hasn’t been rewilded so much as de-humaned, more unmanned in folly than anything Lady Macbeth ever worried about. It’s a living experiment in what the world will be like after humans are gone, having left utter devastation in our wake.
nature  chernobyl  environment  pollution  nuclear 
10 days ago
What Tech Companies Pay Employees in 2019 | WIRED
Twitter, Square, human-resources software maker Workday, and graphics-chip maker Nvidia each reported that median employee pay in 2018 exceeded $150,000. Government data show that the average wage for a software engineer in the San Francisco Bay Area last year was roughly $140,000, far higher than the national average of $104,000.
pay  career  salary  it 
10 days ago
Experts: Spy used AI-generated face to connect with targets
Katie Jones sure seemed plugged into Washington’s political scene. The 30-something redhead boasted a job at a top think tank and a who’s-who network of pundits and experts, from the centrist Brookings Institution to the right-wing Heritage Foundation. She was connected to a deputy assistant secretary of state, a senior aide to a senator and the economist Paul Winfree, who is being considered for a seat on the Federal Reserve.

But Katie Jones doesn’t exist, The Associated Press has determined. Instead, the persona was part of a vast army of phantom profiles lurking on the professional networking site LinkedIn. And several experts contacted by the AP said Jones’ profile picture appeared to have been created by a computer program.
spy  linkedin  deepfake  photo  ai 
10 days ago
Kit 70mm hasselblad
I don't have time to use it anymore, so I'm selling my 70mm hasselblad kit

- tank jobo for 70mm 70shots (very rare)
- bulk load 70mm watson
- 3 back a70 ok (foam to change on 2) with 4 bakc for pieces
- 2 bulk film of aerographic 70mm kodak 2405 45m
- 1 bulk duplicate film e6 fujifilm
- in Bulk loader : 2/3 of rollei infra 400
- more than 30 cassettes
- 1 old back a12 (i don't remember the condition) foam to change
hasselblad  70mm  filmphotography 
11 days ago
NSS Labs Admits Its Test of CrowdStrike Falcon Was ...
NSS Labs accused AMTSO and the three security vendors of unfairly allowing their products to be tested only by organizations that comply with the AMTSO. CrowdStrike at the time dismissed the suit as groundless, stating: "NSS is a for-profit, pay-to-play testing organization that obtains products through fraudulent means and is desperate to defend its business model from open and transparent testing."
crowdstrike  edr  cybersecurity  testing 
12 days ago
Investigate suspicious Windows processes using Sysinternals Sysmon | So Long, and Thanks for All the Fish
8 – CreateRemoteThread
The CreateRemoteThread event detects when a process creates a thread in another process. This technique is used by malware to inject code and hide in other processes.

10 – ProcessAccess
The process accessed event reports when a process opens another process, an operation that’s often followed by information queries or reading and writing the address space of the target process. This enables detection of hacking tools that read the memory contents of processes like Local Security Authority (Lsass.exe) in order to steal credentials for use in Pass-the-Hash attacks.
sysmon  fileless  threathunting 
12 days ago
Hunting Event Logging Coverup
how to detect execution of PS based tool like Invoke-Phant0m, which basically look for the event log service process (svchost.exe) and related threads which are responsible for event logging, after locating these threads, the tool terminates them. As a result, no more logs are recorded, no System, Security, Application, neither Sysmon or enhanced powershell logging etc.

From this point onwards, the adversary can basically perform post-compromise activities, without creating any alerts at least if the alerts are based on event logs.

But Wait! We gotta look at the Enhanced Power shell logging logs. What can we find there.

Ok we can see the  EventID 800 (pipeline execution) where we see the Invoke-Phant0m script being executed and the string "I`m here to blur the line...." being printed on the console. However all of this can be changed by the adversary so basically are not reliable ways to detect this.
sysmon  eventlogs  threathunting  logging  wmi  powershell 
12 days ago
Detecting in-memory attacks with Sysmon and Azure Security Center | Blog | Microsoft Azure
#Hancitor is such an example threat – it uses a macro to inject into verclsid.exe. The malicious code is copied directly into the verclsid.exe process space so never touches the disk. Because verclsid.exe is a trusted Windows process, its activity is unlikely to be blocked by intrusion detection products.

Invoke-Phant0m uses inter-process Windows API calls to find and terminate the threads associated with the Windows Event Log service. The service will still appear to be running – but it will no longer be writing events to the event log.

By collecting and analyzing Sysmon events in Security Center, you can detect attacks like the ones above
The Sysmon configuration is key as it determines the level and volume of logging.
The following configuration logs only privileged levels of memory access to specific processes. This will typically be very low volume
hancitor  fileless  threathunting  sysmon 
12 days ago
Phishing Attacks Using Verclsid.exe: Threat Detection
#Hancitor is such an example threat – it uses a macro to inject into verclsid.exe. The malicious code is copied directly into the verclsid.exe process space so never touches the disk. Because verclsid.exe is a trusted Windows process, its activity is unlikely to be blocked by intrusion detection products.

https://azure.microsoft.com/en-us/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/
fileless  firewall  hancitor  redcanary  threathunting 
12 days ago
Process Injection and Process Hollowing (ATT&CK T1055 & T1093)
One of the more popular tools we found for injection testing is called injectAllTheThngs, which supports 7 different injection techniques. However, we found it didn’t completely suit our needs as it doesn’t support shellcode injection and has not been updated since July 2017.

Therefore, we built Vulcan to address these issues. It’s designed to support both DLL and shellcode injection in a manner that is easy to use and automate.
processhollowing  threathunting  fileless 
12 days ago
Detecting stealthier cross-process injection techniques with Windows Defender ATP: Process hollowing and atom bombing - Microsoft Security
In Windows Defender ATP Creators Update, we have instrumented function calls and built statistical models to detect a broad range of malicious injection techniques used in attacks.
fileless  malware  microsoft  cybersecurity  processhollowing 
12 days ago
GitHub - iann0036/AWSConsoleRecorder: Records actions made in the AWS Management Console and outputs the equivalent CLI/SDK commands and CloudFormation/Terraform templates.
Records actions made in the AWS Management Console and outputs the equivalent CLI/SDK commands and CloudFormation/Terraform templates.
aws  cloud  chrome 
13 days ago
Searches power dashboards and forms - Splunk Documentation
No results returned
If the base search is a non-transforming search, you must explicitly state in the base search what fields will be used in the post-process search using the | fields command. For example, if your post-process search will search for the top selling buttercup game categories over time, you would use a search command similar to the following.

| fields _time, categoryId, action
splunk  dashboard  advice  howto 
14 days ago
Stanley Metcalf: Great-grandfather admits airgun killing - BBC News
Stanley Metcalf died in hospital after being hit in the abdomen by a pellet from the gun in Sproatley, near Hull, on 26 July.

Albert Grannon, of Church Lane, Sproatley, pleaded guilty to manslaughter at Hull Crown Court.

The 78-year-old had shown "no real remorse for what happened" until the guilty plea, Humberside Police said.

He also admitted possessing an air rifle without holding a firearms certificate along with the charge of manslaughter by gross negligence.
gun  murder  airgun 
14 days ago
The Gulf could see one of the largest dead zones in history this year - CNN
What happens, Rabalais explains, is that too many dissolved molecules of nitrogen and phosphorus from runoff stimulate the growth of phytoplankton, which fall to the bottom and decompose with bacteria that use up oxygen. That leads to the creation of dead zones.
The Mississippi now has three times the amount of nitrogen that researchers saw in the 1950s, Rabalais said, and phosphorus has doubled, due to human activities. In May, nitrate loads were about 18% above the long-term average, and phosphorus loads were about 49% above the long-term average, according to scientists at the University of Michigan, who are among those monitoring the issue.

"It is all a part of how we treat our ecosystem and our consumptive nature," she said. "It's all connected to our carbon footprint and the nitrogen used in farming and used to feed animals that we don't need to eat. It is all tied together with the global economy and now tariffs and the way subsidies are given to farming."
environment  flooding  fishing  pollution  farming 
14 days ago
Google Cloud Status Dashboard
Two normally-benign misconfigurations, and a specific software bug, combined to initiate the outage: firstly, network control plane jobs and their supporting infrastructure in the impacted regions were configured to be stopped in the face of a maintenance event. Secondly, the multiple instances of cluster management software

Debugging the problem was significantly hampered by failure of tools competing over use of the now-congested network. The defense in depth philosophy means we have robust backup plans for handling failure of such tools, but use of these backup plans (including engineers travelling to secure facilities designed to withstand the most catastrophic failures, and a reduction in priority of less critical network traffic classes to reduce congestion) added to the time spent debugging. Furthermore, the scope and scale of the outage, and collateral damage to tooling as a result of network congestion, made it initially difficult to precisely identify impact and communicate accurately with customers.

https://status.cloud.google.com/incident/compute/19003
google  cloud 
14 days ago
Verizon Data Breach Investigations Report: Make It Harder for Hackers
Another area where hackers find they have to do relatively little for a big payoff is by using stolen credentials to compromise cloud-based email accounts. The report found that compromise of web-based email accounts using stolen credentials rose to 16% of all breaches this year, from just 3% last year.

To protect against social engineering attacks, IT professionals can block employees from clicking on macro-enabled Office documents, Windows executables and most links on the email gateway. Another important step is to encourage reporting.

To help prevent ransomware, Bassett recommends requiring employees who deal with the outside world to use a sandbox platform.
cloud  password  databreach  cybersecurity 
14 days ago
Microsoft Wants More Security Researchers to Hack Into Its Cloud
Russinovich spoke about protecting the cloud at an academic conference at Microsoft attended by hundreds of Microsoft workers and security engineers from Amazon Web Services, Google, Nike Inc. and others. The event grew out of a trail-running group that includes Microsoft’s Ram Shankar Siva Kumar, who oversees a team of engineers who apply machine-learning to cybersecurity, and peers at AWS and Google. The group would often share techniques and research while on the trail and the idea for a formal conference to exchange ideas was born.
cloud  aws  microsoft  trailrunning  vulnerability 
14 days ago
Boss of the SOC 2.0 Dataset, Questions and Answers Open-Sourced and Ready for Download
BOTS 2.0 Dataset
The BOTS 2.0 dataset is hosted on Github and Amazon S3 and comes in one of two forms:

The Full BOTSv2 Dataset
It’s "the whole enchilada." The dataset weighs in at around 16GB and is an exact copy of what was included in Splunk-hosted BOTS events throughout 2018 and early 2019.
The BOTSv2 "Attack Only" Dataset
The "Attack only" dataset is a pared-down version which eliminates the bulk of the "background noise" in return for a much more manageable total size of 3.2GB. In short, it's everything you need, and nothing you don't!
splunk  bots  download 
23 days ago
Bypassing Network Restrictions Through RDP Tunneling « Bypassing Network Restrictions Through RDP Tunneling | FireEye Inc
Plink can be used to establish secure shell (SSH) network connections to other systems using arbitrary source and destination ports. Since many IT environments either do not perform protocol inspection or do not block SSH communications outbound from their network, attackers such as FIN8 have used Plink to create encrypted tunnels that allow RDP ports on infected systems to communicate back to the attacker command and control (C2) server.
rdp  ssh  fireeye  tunnel 
23 days ago
Technique: Scheduled Task - MITRE ATT&CK™
Configure event logging for scheduled task creation and changes by enabling the "Microsoft-Windows-TaskScheduler/Operational" setting within the event logging service. [78] Several events will then be logged on scheduled task activity, including: [79]

Event ID 106 - Scheduled task registered
Event ID 140 - Scheduled task updated
Event ID 141 - Scheduled task removed
Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing current scheduled tasks.
scheduledtasks  attack 
23 days ago
Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak | Symantec Blogs
However, Symantec has now found evidence that the Buckeye cyber espionage group (aka APT3, Gothic Panda) began using Equation Group tools in attacks at least a year prior to the Shadow Brokers leak.

The zero-day vulnerability allows for the leaking of information and can be exploited in conjunction with other vulnerabilities to attain remote kernel code execution. It was reported by Symantec to Microsoft in September 2018 and was patched on March 12, 2019.
apt  cybersecurity  symantec 
23 days ago
Inexorable PowerShell – A Red Teamer’s Tale of Overcoming Simple AppLocker Policies – @sixdub
Assessment after Assessment, I find that we can compromise a domain user, elevate local privileges, steal credentials, inject payloads, and escalate in the domain all using PowerShell. I have nightmares of the day someone effectively restricts PowerShell and some of the old school tactics must return.

For some previous research attackers’ use of PowerShell:

-FireEye WhitePaper from Blackhat – Includes discussion of incident response with PowerShell. Awesome writeup! Props to these guys for taking a stab at defensive conversation in this arena. I hope to see some of this work recreated on an engagement some time.
-Crowdstrike Report on DeepPanda – Example of threat actor using PowerShell
-Weaponizing PowerShell – harmj0ys post on weaponizing PowerShell. Good write up on bypassing execution restrictions
-PowerShell Basics – Carlos Perez tutorials on PowerShell. Definitely worth the read
-Powersploit’ Github – Essential for Offensive PowerShell users
powershell  fileless  redteam  cybersecurity  reference 
24 days ago
Stopping Emotet Before it Moves Laterally - Red Canary
strategies for detecting Emotet are applicable to a wide variety of other adversary behaviors in both malware and hands-on techniques.

The document was delivered as an attachment in an email message containing a macro to launch an encoded command line.

Word.exe launching cmd.exe launching powershell.exe

Microsoft Word spawned command line
A command line contained obfuscated environmental variables
A PowerShell command leveraged the Invoke-Item cmdlet
A PowerShell command contained a URL
PowerShell downloaded a file
lateralmovement  redcanary  powershell 
24 days ago
Threat Hunting in Linux For Rocke Cryptocurrency Mining Malware
Published research by Unit 42 and Talos Group indicates that Rocke has exploited remote code execution (RCE) vulnerabilities in Oracle Weblogic, Apache Struts, Adobe ColdFusion, phpMyAdmin, Redis, and other public-facing services. It’s ideal but difficult to detect Rocke in near-real-time as the adversary attempts to execute code.
redcanary  attack  cryptojacking  reference 
24 days ago
Developing a Sophisticated, Mature Threat Hunting Program
One successful indicator of proper threat hunting is that you gain rich context about the environment in which you are hunting. Any behavior that may be considered unusual is assessed, catalogued, and queryable.

The best threat hunting practices tend to emerge from teams that have unconstrained time and resources to develop theories, understand visibility and collection gaps, and develop custom tooling to enable hunts. No matter what your constraints are, it’s important to remember that not all hunts find interesting things, but you’ll almost always learn something when you try to answer a question about your environment.

1) allow the flexibility and freedom to anticipate upcoming threats instead of being reactive to current and previous styles of attack, 2) focus on expanding visibility, ensuring that there are minimal, if any, gaps for threats to exist in, and 3) be continually testable, either by intentional or unintentional sources, so that you can detect gaps
threathunting  advice  redcanary 
24 days ago
TA505 Spear Phishing Campaign Uses LOLBins to Avoid Detection
The APT group's attack made use of LOLBins (examples available HERE), taking advantage of legitimate and native Windows binaries (msiexec.exe, rundll32.exe, and net.exe) to deliver its ServHelper malware payload in an attempt to achieve an extra level of stealthiness, an effective tactic as shown by a previous analysis of an attack targeting Brazilian entities.
malware  cybersecurity  fileless 
24 days ago
New SLUB Backdoor Uses Slack, GitHub as Communication Channels
Windows exploits used to compromise targets in watering hole attacks
SLUB's masters added an exploit for the CVE-2018-8174 remote code execution vulnerability present the Windows VBScript engine and patched in May 2018 to a compromised website, allowing them to drop and launch the first stage in the form of a downloader camouflaged as a DLL file using PowerShell.
exploit  wateringhole  cybersecurity  powershell  malware 
24 days ago
Practical Threat Hunting – Applied Network Defense
Two hunting frameworks: Attack-Based Hunting (ABH) and Data-Based Hunting (DBH)
Techniques for leveraging threat intelligence and the MITRE ATT&CK framework for hunting input
The 9 most common types of anomalies you’ll encounter when reviewing evidence.
The 4 ways threat hunters most commonly transform data to spot anomalies
Typical staffing models for hunting capabilities in organizations of all sizes along with pros/cons
5 metrics that support and enable threat hunting operations
An ideal design for a hunter’s wiki/knowledgebase
A 5-step framework for dissecting and simulating attacks to prepare for hunting expeditions
A list of my favorite hunting data sources and tools
A curated list of hunting expeditions to get you started
A list of my favorite Twitter follows for daily threat hunting input
threathunting  training 
24 days ago
Information Security Mental Models – Chris Sanders
The MITRE ATT&CK matrix is a framework of adversarial tactics that basically presents a categorical list of common techniques to describe computer network attacks. It’s a great model that’s useful in a variety of ways, and honestly, we’ve needed something like this for a while.

abandoned other sound security principles and successful ongoing initiatives in pursuit of “checking things off the list” that is ATT&CK. Similarly, I’ve seen new security organizations center their entire detection and prevention strategies around ATT&CK without first defining their threat model, understanding the high-value assets, and gaining any sense of the risk they want to mitigate

Mental models help us make better decisions and learn faster. Models are tools that help us simplify complexity, and they are critical in the practice of any profession. For information security to evolve past our cognitive crisis we must become more adept at developing, utilizing, and teaching good models.
cybersecurity  risk  modeling  attack  medical  biology 
24 days ago
A closer look at the Angler exploit kit – Sophos News
Angler first appeared in late 2013, and since then has significantly grown in popularity in the cyberunderworld. Its aggressive tactics for evading detection by security products have resulted in numerous variations of the various components it uses (HTML, JavaScript, Flash, Silverlight, Java and more). Angler is also extremely prevalent. For example, in May 2015, we uncovered thousands of new web pages booby-trapped with Angler – so-called landing pages – every day.
anglerek  cybersecurity  apt  exploit  javascript 
24 days ago
New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit « New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit | FireEye Inc
The malicious .rtf file exploits CVE-2017-11882.
The malware overwrites the function address with an existing instruction from EQNEDT32.EXE.
The malware creates a child process, “mshta.exe,” which downloads a file from: hxxp://mumbai-m[.]site/b.txt.
b.txt contains a PowerShell command to download a dropper from: hxxp://dns-update[.]club/v.txt. The PowerShell command also renames the downloaded file from v.txt to v.vbs and executes the script.
The v.vbs script drops four components (hUpdateCheckers.base, dUpdateCheckers.base, cUpdateCheckers.bat, and GoogleUpdateschecker.vbs) to the directory: C:\ProgramData\Windows\Microsoft\java\
v.vbs uses CertUtil.exe, a legitimate Microsoft command-line program installed as part of Certificate Services, to decode the base64-encoded files hUpdateCheckers.base and dUpdateCheckers.base, and drop hUpdateCheckers.ps1 and dUpdateCheckers.ps1 to the staging directory.
cUpdateCheckers.bat is launched and creates a scheduled task for GoogleUpdateschecker.vbs persistence.
GoogleUpdateschecker.vbs is executed after sleeping for five seconds.
cUpdateCheckers.bat and *.base are deleted from the staging directory.
apt  cybersecurity  powershell  fileless 
24 days ago
Fileless Malware: Invisible but not Undetected - ReaQta
TSR viruses evolved towards a more modern connotation of “fileless” with the infamous Code Red worm that in 2001 infected computers only via network, exploiting a buffer overflow in Microsoft IIS server. The malicious payload existed entirely in memory, with no files written on disk, thus gaining the title of the very first modern fileless malware.

That malware took the name of Poweliks and while technically fileless, it used to hide its encrypted payload in the Windows Registry, through a complex chain of actions that involved for the first time several scripts: a JScript followed by a Powershell script that was used to load and run a malicious DLL.

Of course all the security features found in Powershell 5 should be enabled to help analysts figure out what an “unknown” script is doing.

The counter side of this approach is that manual analysis is precise but time-consuming: the analysts cannot be allocated full time to just read powershell logs, so we strongly suggest to automate this process as much as possible.
malware  fileless  history  reference  cybersecurity 
24 days ago
Operation Cobalt Kitty: A large-scale APT in Asia carried out by the OceanLotus Group
attackers persisted on the network for at least a year before Cybereason was deployed. The adversary proved very adaptive and responded to company’s security measures by periodically changing tools, techniques and procedures (TTPs), allowing them to persist on the network for such an extensive period of time. Over 80 payloads and numerous domains were observed in this operation - all of which were undetected by traditional security products deployed in the company’s environment at the time of the attack.

https://www.cybereason.com/hubfs/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty-Part1.pdf
malware  fileless  cybereason  cybersecurity  apt 
24 days ago
Takedowns and Adventures in Deceptive Affiliate Marketing
Spam Cartography
I reviewed a number of methodologies on image comparison and settled on Mean Squared Error (MSE). This technique essentially generates a measurement score based on the average of the squares of errors, or in this context the difference between pixel intensity of the two compared images

GoDaddy URL shortening service, similar to “bit.ly” and “goo.gl”, but allows you to point a DNS A Record to the IP and manage where it will forward the user.
spam  analytics  cybersecurity 
24 days ago
PowerSniff Malware Used in Macro-based Attacks
This macro will invoke the WMI service to spawn a hidden instance of powershell.exe with the following arguments (The URLs have been defanged for safety):
malware  fileless  powershell  wmi 
24 days ago
POWELIKS: Malware Hides In Windows Registry - TrendLabs Security Intelligence Blog
Through a NULL registry value, users cannot see the content of the registry key with null value. Although there is an option to delete the registry key, deleting it will just result to an error due to the null value. However, the specific data will still execute during the system’s restart without any problem. To put simply, users cannot see and therefore, delete the entry thus when they reboot the system, the malware will still run.

It also creates another registry entry that contains the malware code.
malware  registry  fileless  powershell 
24 days ago
InfoSec Handlers Diary Blog - Powershell Malware - No Hard drive, Just hard times
Upon startup this will launch Powershell and execute the Base64 (UTF-16LE) encoded script stored in the registry path HKCU:\Software\Classes\UBZZXDJZAOGD' in the key 'XLQWFZRMYEZV'.
powershell  malware  debug 
24 days ago
Full Seattle homeless count report shows who is on the street and why
The latest homeless count for Seattle/King County showed that there are 11,199 people experiencing homelessness countywide, but the release of the full report offers a greater picture of who is on the streets and why.

Of those counted, an estimated 2,451 individuals were in families with children, 1,089 were unaccompanied youth, 830 were veterans, and 32 percent were identified as people of color.

Conducted in January by Count Us In
homeless  seattle 
24 days ago
My Husband Wore Really Tight Shorts to the Eclipse Party - The New York Times
The Swiss psychiatrist Carl Jung argued that when we fall in love with someone, what we really fall in love with are the characteristics that are in us, but that, for whatever reason, we cannot access.

What I love in Alex — that ability to not care what other people think — is something I want for myself. I have experienced that utter lack of self-consciousness only three times in my life: When I fell in love 25 years ago, the months I had untreated postpartum psychosis, and the two-and-half minutes of the eclipse. Three times reality flipped.

Even after spending 25 years with that person, the only way to get there is to change yourself.
eclipse  psychology  relationships  humor 
24 days ago
Why 1999 Was Hollywood’s Greatest Year - The New York Times
“American Beauty” to “American Movie” to “American Pie.” Among them: “The Matrix,” “The Sixth Sense,” “Boys Don’t Cry,” “Three Kings,” “Being John Malkovich,” “The Best Man,” “The Insider,” “The Virgin Suicides,” “Magnolia” and “Election.”
movies  thematrix  1999 
24 days ago
« earlier      
per page:    204080120160

Copy this bookmark:





to read