🔓
Attacks & Vulnerabilities
Ebury Botnet Infected 400K Linux Servers Since 2009 (4 minute read)
The Ebury botnet has compromised 400K servers over the past 15 years. Recent attacks show that operators have been targeting hosting providers to perform supply-chain attacks on clients renting virtual servers. The Ebury operators are financially motivated and often deploy credential stealers onto compromised servers.
Christie's Art Auctions Hit By A Cyber Attack (2 minute read)
Christie's auctions worth $840m have been disrupted by a cyber attack, affecting the sale of valuable items like a Van Gogh painting and rare wine. The website is offline, but bids can still be placed over the phone or in person. An alternative website with basic information is available. Auctions continue and there are plans for upcoming sales.
Leveraging DNS Tunneling for Tracking and Scanning (13 minute read)
This blog post describes the DNS Tunneling attack technique, which is a method for attackers to hide and transport data through DNS traffic. Malicious actors can use DNS tunneling to track user activities and communicate with compromised hosts. Organizations can detect and mitigate DNS tunneling campaigns effectively by analyzing indicators like domains and IP addresses.
Keylime (GitHub Repo)
Keylime provides an end-to-end solution for bootstrapping hardware rooted cryptographic trust for remote machines, the provisioning of encrypted payloads, and runtime system integrity monitoring.
SharpGraphView (GitHub Repo)
SharpGraphView is a post-exploitation toolkit that provides modular access to the Microsoft Graph API for cloud security teams.
A peek into build provenance for Homebrew (7 minute read)
Trail of Bits discusses how it has worked to add cryptographically verifiable build provenance for all bottles. This feature ensures that each bottle's content is bound to specific build-time metadata, reducing the risk of compromised or malicious installations. While still in early beta, users can verify attestations using the "brew verify" command, but caution is advised until further development is completed.
Techniques Learned from the XZ Backdoor (17 minute read)
This blog post discusses techniques used in the XZ backdoor, focusing on locating function addresses, symbol tables, and system information within ELF files. It also explains the process of function hooking and demonstrates a simplified version of the XZ backdoor's logic using library functions and memory address manipulation. The XZ backdoor's method involves finding specific addresses and performing actions based on that information, simulating the process of locating critical functions within programs.
Black Basta Ransomware Group Is Imperiling Critical Infrastructure (3 minute read)
The Black Basta ransomware group is attacking critical infrastructure, affecting over 500 organizations in the past two years, including a healthcare system with 140 hospitals. FBI and security researchers warn that the group is causing severe disruptions and targeting healthcare organizations through novel social engineering tactics.