Tag: Cybersecurity Tips

  • SonicWall Patches Three Zero-Day Vulnerabilities

    SonicWall has tested and published patches to mitigate three zero-day vulnerabilities in its email security products this week. Hackers are actively exploiting these vulnerabilities in the wild, and customers should patch them immediately.

    Affected Products

    The vulnerabilities affected the following versions of SonicWall’s email security and hosted email security products:

    • 10.0.1
    • 10.0.2
    • 10.0.3
    • 10.0.4-Present
    The Addressed Vulnerabilities

    The patches released by SonicWall mitigate three CVEs, listed below:

    More details from SonicWall can be found in its company advisory as well as in FireEye’s detail of how the exploits were being used. Here are links to both:

    Remediations

    SonicWall has patched its hosted email security product automatically, but customers will need to upgrade in-house email security products on their own, using the following versions:

    • (Windows) Email Security 10.0.9.6173
    • (Hardware & ESXi Virtual Appliance) Email Security 10.0.9.6173

    SonicWall also provides detailed instructions for upgrading in this advisory article: https://www.sonicwall.com/support/product-notification/security-notice-sonicwall-email-security-zero-day-vulnerabilities/210416112932360/

     

  • NSA, FBI, CISA Statement on Russian SVR Activity

    What does it mean for your business?

    Summary of the Statement

    Last week, the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and Federal Bureau of Investigation (FBI) released a joint statement on five different vulnerabilities that the Foreign Intelligence Service of the Russian Federation (SVR RF) is known to be exploiting currently.

    How does this affect your business?

    Even if your business is not a target of the SVR RF, other threat actors such as ransomware gangs, are taking advantage of the same vulnerabilities. Therefore, if you have been using any of the affected product versions, you should take them offline, upgrade to the most recent version, and begin an incident response process to verify your servers are not compromised. Additionally, Raxis recommends performing the same process on other recently exploited products such as SolarWinds Orion and Microsoft Exchange Server.

    Affected Product Versions & Associated CVEs

    Fortinet FortiGate VPN

    • Version: Fortinet FortiOS6.0.0 to 6.0.4, 5.6.3 to 5.6.7 and 5.4.6 to 5.4.12
    • CVE: CVE-2018-13379

    Synacor Zimbra Collaboration Suite

    • Version: Synacor Zimbra Collaboration Suite 8.7.x before 8.7.11p10
    • CVE: CVE-2019-9670

    Pulse Secure Pulse Connect Secure VPN

    • Version: Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4
    • CVE: CVE-2019-11510

    Citrix Application Delivery Controller and Gateway

    • Version: CitrixADC and Gateway versions before 13.0.47.24, 12.1.55.18, 12.0.63.13, 11.1.63.15 and 10.5.70.12 and SD-WAN WANOP 4000-WO, 4100-WO, 5000-WO, and 5100-WO versions before 10.2.6b and 11.0.3b
    • CVE: CVE-2019-19781

    VMware Workspace ONE Access

    • Version: VMware One Access 20.01 and 20.10 on Linux, VMware Identity Manager 3.3.1 -3.3.3 on Linux, VMware Identity Manager Connector 3.3.1-3.3.3 and 19.03, VMware Cloud Foundation 4.0-4.1, and VMware Vrealize Suite Lifecycle Manager8.x
    • CVE: CVE-2020-4006

    Remediation

    If your business is running any of the aforementioned product versions, upgrade immediately to the most recent versions following the guides for each product below:

    Fortinet FortiGate VPN

    Synacor Zimbra Collaboration Suite

    Pulse Secure Pulse Connect Secure VPN

    Citrix Application Delivery Controller and Gateway

    VMware Workspace ONE Access

    Solarwinds Orion

    Microsoft Exchange

    Additionally, Raxis recommends beginning an incident response process on any servers exposed to the internet that are running these product versions, as they are actively being exploited in the wild.

    Associated Links

    NSA, FBI & CISA Statement: https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2573391/russian-foreign-intelligence-service-exploiting-five-publicly-known-vulnerabili/

    CVE Links:

  • Three Questions to Ask Before Connecting a Device to the Internet

    “In theory, even our refrigerators could turn against us and order low-fat ice cream instead of our Ben & Jerry’s.”

    Raxis Lead Penetration Tester, Scottie Cole

    I’m a gadget guy with a lot of IT experience, which of course makes me the pro bono tech troubleshooter for every friend and relative within 100 miles. It also means I’m the guy they call when they want to connect their latest gizmo to the Internet.

    I don’t usually mind helping, but I often find myself wondering if people are putting enough thought behind this race to connect to the Internet of Things (IoT). 

    Ha! Just kidding. I know for a fact that most aren’t putting any thought behind it.

    The allure of convenience, the snob appeal of being an early adopter, and the FOMO factor make it incredibly easy to sell these devices. But there’s no incentive to also talk about security issues – and that’s a big problem. 

    So, as a public service, I’m taking off my gadget-geek gear and putting on my professional hacker hoodie. Before you connect any device to the Internet, ask yourself these questions (and answer them honestly):

    Will I really use it as much as I think? This is about more than simply being frugal. The less you use a device or an associated app, the more likely you are to miss important updates and leave security patches uninstalled. You might not be paying attention, but hackers surely are. Which brings up a second question . . . 

    Can I secure it? Why don’t we pose that question to Alexa? Oh, wait. Can we trust her? Really, we only have a pinky swear from the company that she’s not spying on us. And that’s a potential problem with many devices. Even as a security professional, I can only control the security on my end. If it’s a centrally administered service, I have to also trust the company to protect access to the device as well. That’s why it pays to really read what they have to say about security. And that raises a third, even more important question . . . 

    What am I putting at risk if it’s hacked? One of the great IoT ironies is that some of the products sold under the guise of making us more secure are often the most vulnerable to attack. That means security cameras can turn into spy cameras. The ability to lock our doors remotely means they can be unlocked the same way. In theory, even our refrigerators could turn against us and order low-fat ice cream instead of our Ben & Jerry’s.

    A more urgent concern is that any device connected to your network can become a pathway for unauthorized access. If you think that’s unlikely, watch my colleague Scott Sailors hack a wireless mouse. From a practical perspective, that means you should segment your network so that, if your toaster is hacked, you’re not putting all your bank and credit card data at risk as well. 

    The reality is that connected devices are improving our lives dramatically and we haven’t even scratched the surface of their real capabilities. It’s exciting to realize that more and more devices are becoming smarter and more capable. In order to fully enjoy the advantages of being connected, we simply need to be realistic about our abilities, mindful of the risks we take, and diligent about mitigating them effectively.

    Companies hire the team here at Raxis to identify vulnerabilities and correct them before hackers can take advantage. As individuals, it’s up to us to do it ourselves.

    Of course, you can also call on a friend or relative to help. (Not me, though. I’m all booked up through the end of the year.)

  • What’s it Like to Work at Raxis?

    One of the great things about being a penetration tester is explaining what we do to people inside andoutside the world of cybersecurity. Having done this work myself and now managing others, I can’t imagine a more fascinating job. However, I also can’t imagine doing this job for any company other than Raxis.

    That’s because we’ve assembled a team of outstanding professionals with wildly diverse backgrounds that range from film and television to law enforcement to web design to IT administration and software development. We are, of course, expert hackers, but working for Raxis means that we all bring much more to the table.

    Over the next several weeks, we’ll be offering up a series of videos that will show you what our company and our work is truly like. These videos will likely be helpful if you’re interested in penetration as a career. They must-watch material if you want a career at Raxis.

    In addition to an advanced skillset, we expect an incredibly high degree of integrity. The nature of our works means that we only bring on people who have held positions of trust and who have proven themselves worthy of ours. 

    Integrity is essential, but it’s only one part of the larger picture that is culture. Beginning with our founder, we’ve brought on people who work well together, naturally. We have created a culture that places a high value on creative thinking, problem-solving, and above all, teamwork. 

    Please take a look at our inaugural video above. Raxis’ chief technology officer Brian Tant and I will explain how each penetration test demands presents different issues and opportunities. If you think you have what it takes to join our ranks, keep watching in the weeks ahead as other members of the Raxis team discuss different aspects of life in our world.

    Also, keep an eye on our careers page. Occasionally, we have openings for people with the right skills, determination, and attitude to join our team.

    Want to learn more? Take a look at the next part of our Working at Raxis discussion.

  • Why Companies Shouldn’t Overlook Mobile Application Testing

    There are apps sold to the general public and ones that are made available by businesses to their customers, as well as proprietary apps used only within organizations. What all of these apps have in common is that, without proper security, they are all vulnerable to attack. And each of those 200 billion downloads represents an ever-expanding pool of potential hackers and victims.

    That’s why conducting penetration tests on mobile applications is one of the most important services we offer here at Raxis. We’ve tested apps for Apple, Android, and Windows phones, using up-to-date devices, jailbroken iPhones, and rooted Android devices, as well as emulators that allow further testing.

    Here are some of the most common issues we find:

    Jailbroken or Rooted Devices

    Ideally, apps should be setup so that they won’t even run on devices that are jailbroken or rooted. People often do that to their devices to have more control than the vendor intended, allowing them to download unauthorized apps from stores such as Cydia. The danger is that such apps that may allow nefarious activities or steal users’ data.

    Phones that have been jailbroken or rooted are also open to attacks on the operating system itself, possibly giving an attacker control of the device as well as control of legitimate applications. Our strong recommendation to developers is to build into apps the ability to recognize a device that has been compromised and to block its access until the device is updated correctly.

    No SSL Certificate Pinning

    We also find many mobile apps that don’t use SSL certificate pinning. SSL certificate pinning validates the authenticity of an SSL certificate. When an application fails to verify the certificate, it opens the door for a man-in-the-middle (MitM) attack, in which the attacker can insert himself into the encrypted traffic between the app and the server. This can be accomplished through name resolution poisoning, adding a proxy server, or a number of other ways.

    The attacker then can use his own certificate to impersonate the API server and decrypt the application traffic, read or manipulate it, re-encrypt it, and forward it onto the intended destination without detection. This type of attack not only allows an attacker to decrypt both incoming and outgoing traffic (such as credit card numbers and passwords), but also allows the attacker to change it. Using a typical bank transaction as an example, the hacker could transfer the funds to his account instead of yours.

    Shared Vulnerabilities

    Not all vulnerabilities are exclusive to mobile applications. We also find many, such as SQL injection (SQLi) attacks, that can be weak points within web applications as well. That’s why it’s important to test mobile apps separately from web apps. Even though they may use the same APIs and databases, and the user experience may feel nearly identical, the platform code and environment are different. Testing each one ensures that a hacker can’t exploit the app simply by changing platforms.

    Internal Apps

    Raxis has tested apps that are made available for customers as well as proprietary apps that are used within organizations, such as on flights for meal service. We’ve worked with companies that were less concerned with internal apps and proprietary devices because they were only available to employees. In those cases, we explain that personal and proprietary devices could fall into the wrong hands. If an internal mobile device or app runs on a production network, an attacker that gains access to the device is one step closer to accessing company data that may be on that network.

    What You Can Do

    Many of the companies that come to Raxis for mobile tests use that as a marketing tool. They are proud to show potential customers that they have a strong focus on securing their data. So, take a look at the apps on your mobile device. Do you know if they’ve been tested by a company like ours? It’s always a good idea to read the security and privacy data before you download.

    And remember, if you’re not sure, you can always ask – in public forums or user groups, or even directly to the app developers themselves. If they don’t currently conduct routine penetration testing, your questions might convince them they should.

    *SOURCE: Statista c. 2020

  • Understanding Vulnerability Management

    When an organization gets serious about the security of their environment, I strongly recommend a vulnerability management system as a critical first step. 

    Vulnerability management is a system for continually identifying, prioritizing, remediating, and mitigating software vulnerabilities. It is a must when it comes to your computer and network security. 

    In the video above, I explain what it means to have an effective vulnerability management system in place and why it is so important. 

    Lack of effective vulnerability management is one of the most critical and common findings Raxis uncovers when we perform penetration tests. Without it, companies have no reliable way to make sure that patches are installed and that other security protocols are being followed as a matter of course. 

    If you don’t have a vulnerability management system in place, we can certainly help. We’ll look for the same things we know the bad guys do, and we’ll show you how to implement the security practices that will alert your team to suspicious activity and help stop attacks before they start.

    Raxis is an elite team of professionals who are paid to attack and assess cybersecurity systems. The company’s ethical hackers have successfully breached some of the most sophisticated corporate networks in the US. Contact us today: https://raxis.com/contact

  • The Most Important Cybersecurity Lessons of 2020

    At the close of a year that turned our world upside down, it’s more than fair to wonder and worry about what 2021 might bring. Even as we pray for health, prosperity, and peace, cybersecurity professionals understand that these blessings will remain under constant attack by malicious actors for whom every upheaval in our lives is an opportunity to strike. 

    Despite the high-profile breach of SolarWinds and ongoing attacks from state-sponsored actors, I believe the COVID-19 pandemic best illustrates that point in a couple of different ways. Here’s why: In 2020, companies worldwide asked their teams to work remotely all or part of the time. But not all of them had appropriate security protocols in place beforehand, leaving their networks vulnerable to attackers as they made the transition. 

    I’m not suggesting that business owners (or even health professionals) should have predicted the arrival of the novel coronavirus, but there are any number of natural and manmade disasters that can force us out of our offices. We all need to have a continuity plan – and cybersecurity should certainly be one of its guiding principles. 

    For those who did have a plan, now is the time to ask if it was followed correctly and if it worked effectively. I strongly encourage CEOs and business owners to include your infosec teams in these discussions and perhaps have them take the lead. More importantly, listen and act on their recommendations because the new normal will come with new challenges for all of us. 

    Assuming that the US and other nations are able to contain the spread of COVID (as we hope and expect), some companies will ask their workers to return to an office environment, some will make the remote model a permanent feature, and still others will adopt a hybrid approach that features elements of both. Safety and productivity are the factors that will most likely (and appropriately) drive those decisions. But effective cybersecurity measures should be a non-negotiable feature regardless of the workplace model.

    Not to turn this post into a commercial, but Raxis (and some other pen-testing companies) can be of great help in this process. That’s because we understand where attackers are most likely to focus their efforts and thus where your company is most vulnerable. We speak the same language as your infosec team, so we can work with them to come up with a plan that gives you the most flexibility to meet your business needs, but still keeps you and your network safe from attackers.

    My hope is that an enduring lesson from the COVID-19 experience (and other events in 2020) is that more organizations need to take a proactive approach to cybersecurity. Though we can’t predict who will be breached and when, we know for certain that the attacks will continue indefinitely. And while we don’t know when a global or local disaster will disrupt our operations, we should be ready to respond swiftly and securely if it does.

    Here’s to a safe, secure, and prosperous new year for your business. At Raxis, our business is helping you stay that way.

  • So, I Hacked a Tesla . . .

    Tesla deserves great credit for bringing electric vehicles into the mainstream. Say what you will about Elon Musk, his vision is proving wildly successful in a space where many others have failed.

    Even so, if the two of us could have a conversation, I’d probably recommend that the company invest more time and resources in cybersecurity for its vehicles. 

    Here’s why:

    Recently I decided to see how easy it would be for my personal Tesla to be hacked — and stolen. As you will see in the video below, with some commonly used tactics, it was relatively quick and easy. 

    The attack demonstrated in the video relies on phishing to get the victim’s credentials. At that point, the hacker has complete control and can do pretty much whatever they wish — including unlocking the car and driving away. 

    The video demonstrates why, if you’re not careful, your Tesla could be compromised and stolen without a lot of effort from the attacker. 

    Until the company itself adds more protection, it’s up to you to take some basic precautions. By the way, it’s wise to follow these practices no matter if it’s your Tesla, your bank account, your Twitter feed, or any online account.

    • Stay vigilant and question any WiFi network that asks you to connect.
    • Never give account information, credentials, or access tokens to a third party unless it is absolutely necessary.
    • Every account you create should have a unique and strong password. Every. Single. Account.
    • If your account is compromised, immediately reset your password and let the company or companies know.

    Here at Raxis, we offer a broad range of services to help find security vulnerabilities within your organization. And though a typical penetration test would not uncover this type of vulnerability, a Raxis red team assessment could. 

    Our red team assessments tests your organization’s security from top to bottom and end to end to uncover any way your network can be compromised by a skilled and determined attacker. If you are ready to take control of your company’s security, contact us and let us see how we can help. 

  • Five Red Flags for Black Friday

    ‘Tis the shopping season!  First up, Black Friday, followed by Shop Local Saturday, Cyber Monday, and all the shopping days that follow. 

    Did you wake up early to stretch out your “add to cart” fingers so you can snag that hard-to-find, hot item of the season at a discounted price? Planning on heading out to that cute little boutique next to your office during lunch? 

    Before you do, there are a few things you need to remember. Most important is that cybergrinches are out there year-round, just waiting for the perfect opportunity to steal your holiday joy. The holiday season is big business for them, and they are waiting for you to drop your guard. (And, no, they don’t care if it lands them on the naughty list.)

    In the video above, I detail five red flags you should look out for on Black Friday — and all the other shopping days of the year. I’m hopeful these tips will help keep you and your company’s network secure this holiday season.

    Let’s review, if you are going to be holiday shopping in the coming weeks, it is imperative you take the proper precautions to keep yourself and your company secure. 

    • Don’t click on links within emails, and be very suspicious of any emails that discuss your credit cards or bank accounts.
    • Be wary of phone calls seeking donations to various charities. Be vigilant, and do your research on the charity. Even then, donate directly, not from the email.
    • If you are out shopping on your lunch break or after work, make sure your work badge is in a protective sleeve to help prevent cloning.
    • Strangers are still strangers in the holiday season. Make sure everyone in your building and anyone trying to get in has the proper credentials to be there – or that they have an escort.
    • Stay vigilant with your security practices, even when your office is short-staffed. When we get busy, it’s easy to skip locking computers and returning sensitive documents to a secure location. Take the extra few seconds to do cybersecurity right.

    Raxis is an elite team of professionals who are paid to attack and assess cybersecurity systems. We can help you pinpoint security threats and find ways to remediate them leaving your company far more secure and giving you additional peace of mind.  

    Ready to find out how secure your network really is? Reach out to us, and let’s discuss your needs and how we can help.

  • Why you should turn off Cisco Smart Install now

    In this video, I explain how Cisco Smart Install can leave you and your company vulnerable if it is left on. (Helpful hint: Cisco Smart Install is often on by default, so watch this and then go check your network).

    Network admins are surely familiar with Cisco Smart Install – the handy plug-and-play configuration and management feature that offers zero-touch deployments. 

    And though Cisco is known for security, and the Smart Install feature has some great benefits – such as allowing you to easily deploy network switches in a Cisco environment with no assistance from a network admin – it also can be a security risk if you leave it turned on.  Whether by design or default, I find a lot of cases where it’s left on, but none where it’s actually in use at that time. For a penetration tester, that’s a key finding.

    Have you checked your network to see if Cisco Smart Install is on. It was, wasn’t it? And, you did turn it off, right?

    If so, you closed off a simple but often effective door for hackers. 

    Raxis is an elite team of professionals who are paid to attack and assess cybersecurity systems. We can help you pinpoint security threats and find ways to remediate them leaving your company more secure than we found it.  

    Ready to find out how secure your network really is? Reach out to us and let’s discuss your needs and how we can help.

  • Imminent Threat for US Hospitals and Clinics, RYUK RansomwareAlert (AA20-302A) – Updated 11/2/2020

    Earlier this week rumblings were detected of a RYUK attack against US based hospitals and clinics. As the week has progressed, we have started to see this attack unfold.

    On October 29, 2020 a confidential source on the attack described this as “Increased and Imminent Cybercrime Threat”.

    What we know:

    This appears to be an RYUK ransomware attack being delivered through phishing attacks. Raxis recommends that heightened vigilance be  applied across all attack vectors and instrumentation.

    Who:

    The attack appears to be targeted at U.S. based hospitals, clinics, and other health care facilities. All health care operations should be on heightened alert for anomalous behavior or other Indications of Compromise (IOCs).

    When:

    Imminent. As of the time of this writing several US hospitals are already under attack.

    What to do:  
    • Immediately disseminate threat awareness notifications to all users and establish an update cadence to keep them aware of the threat as it continues to evolve.
    • Isolate critical systems where possible.
    • Review Incident Response (IR) plans and confirm accuracy of the plans to the extent possible.
    • Verify systems are patched and up to date.
    • Adjust instrumentation to detect known ransomware IOCs.
    • Use Multi-Factor Authentication (MFA) wherever possible. Consider temporarily enforcing MFA in instances where users have the option of bypassing it.
    • Enforce cybersecurity hygiene including: Audit user accounts with admin privileges and close all unnecessary ports.
    • Backup all critical data and verify restoration capabilities.
    • Verify endpoint protection measures are up to date and functioning properly.
    Technical details of the attack:
    • The initial insertion point is through a phishing campaign.
    • Typically, RYUK has been deployed as a payload from Trojans such as Trickbot.
    • RYUK actors use common tools to steal credentials. These tools allow the actors to dump cleartext passwords as well as password hashes that can be brute forced offline.
    • Payloads may establish persistence based on DLL injection or other common techniques.
    • RYUK has been known to use scheduled tasks and service creation to maintain persistence.
    • RYUK actors will conduct network reconnaissance using native tools such as Windows Net commands, nslookup, and ping to locate mapped network shares, domain controllers, and Active Directory resources.
    • RYUK actors also use tools such as PowerShell, Windows Management Instrumentation (WMI), Windows Remote Management, and Remote Desktop Protocol (MS-RDP) for lateral movement through the network. IT personnel should be on alert for any suspicious traffic on the network.
    • RYUK uses AES-256 to encrypt files and an RSA public key to encrypt the AES key.
    • Actors will attempt to disable or remove security applications on victim systems that might prevent the ransomware from executing. Secondary monitoring on these processes may enhance detection fidelity.
    Updates
    November 2, 2020

    New information has been released specifically around Indicators of Compromise (IOC). Latest information indicates threat actors are targeting the HPH Sector with TrickBot and BazarLoader malware. This malware often leads to ransomware, data theft, and disruption of services. These are often loaded through malicious links and/or attachments via phishing.

    TrickBot IOC:
    TrickBot often installs an achor toolset identified as anchor_dns that creates a backdoor for sending and receiving data from compromised machines using Domain Name Systems (DNS) tunneling. Anchor_dns uses a single-byte X0R cipher to encrypt communications which have been observed using key 0xB9. This decrypted traffic can be found in DNS request traffic.

    TrickBot copies itself as an executable file with a 12-character randomly generated name and places this file in one of the following directories:

    • C:\Windows
    • C:\Windows\SysWOW64
    • C:\Users\[Username]\AppData\Roaming

    Once the executable is running, it downloads hardware-specific modules from the Command and Control server (C2s). These files are placed in the infected host’s %APPDATA% or %PROGRAMDATA% directory.

    The malware uses a scheduled task running every 15 minutes to maintain persistence with the host machine. Reports indicate the tasks typically use the following naming conventions:

    [random_folder_name_in_%APPDATA%_excluding_Microsoft]
    autoupdate#[5_random_numbers]

    After successful execution, anchor_dns deploys malicious batch scripts using PowerShell commands: 

    cmd.exe /c timeout 3 && del C:\Users\[username]\[malware_sample]
    cmd.exe /C PowerShell \"Start-Sleep 3; Remove-Item C:\Users\[username]\[malware_sample_location]\"

    The following domains have been associated with anchor_dns:

    • Kostunivo.com
    • chishir.com    
    • mangoclone.com
    • onixcellent.com

    This malware has been known to use the following legitimate domains to test internet connectivity:

    • Api.ipify.org
    • Checkip.amazonaws.com
    • Icanhazip.com
    • Ident.me
    • Ip.anysrc.net
    • Ipecho.net
    • Ipinfo.io
    • Myexternalip.com
    • Wtfismyip.com

    There is also an open-source tracker for TrickBot C2 servers located at https://feodotracker.abuse.ch/browse/trickbot/

     Anchor_dns historically used the following C2 Servers:

    • 23.95.97.59
    • 51.254.25.115
    • 87.98.175.85
    • 91.217.137.37
    • 193.183.98.66

     BazarLoader/BazarBackdoor IOC:

    Typically deployed through phishing and contain the following:

    • Typically deployed in a PDF attachment through an actor controlled online hosting solution
    • Often references a failure to create a preview of the document and contains a link to a URL that is hosting a malware payload
    • Emails are often routine in appearance and often employ a business pretext
    • Typical social engineering tactics are in use with email content 

    The following filenames have been identified for installing BazarLoader:

    • Document_Print.exe
    • Report10-13.exe
    • Report-Review26-10.exe
    • Review_Report15-10.exe
    • Text_Report.exe 

    Bazar activity can be detected by searching system startup folders and Userinit values under the HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon registry key:

     %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\adobe.lnk

    The following C2 servers are known to be associated with this malicious activity:

    •  5.2.78.118
    • 31.131.21.184
    • 36.89.106.69
    • 36.91.87.227
    • 37.187.3.176
    • 45.148.10.92
    • 45.89.127.92
    • 46.28.64.8
    • 51.81.113.25
    • 62.108.35.103
    • 74.222.14.27
    • 86.104.194.30
    • 91.200.103.242
    • 96.9.73.73
    • 96.9.77.142
    • 103.76.169.213
    • 103.84.238.3
    • 104.161.32.111
    • 105.163.17.83
    • 107.172.140.171
    • 131.153.22.148
    • 170.238.117.187
    • 177.74.232.124
    • 185.117.73.163
    • 185.68.93.17
    • 185.90.61.62
    • 185.90.61.69
    • 195.123.240.219
    • 195.123.242.119
    • 195.123.242.120
    • 203.176.135.102

  • A Herring Haunting at Curriculaville Next Wednesday

    To me, the scariest movies are ones where the ghost/monster/alien turns out to be someone we’ve come to know and trust. The same thing is often true with cyberthreats – the people who can do the most damage to your organization, whether intentionally or not, are your own employees. During Raxis red team engagements, company employees are one of the most reliable ways we have to gain access to the corporate network.

    Believe me, after thousands of penetration tests over the years, Raxis has lots of stories – and I intend to tell some.

    Next Wednesday, our friends at Curricula, an Atlanta-based cybersecurity training company, will launch their first annual “Curriculaville” remote cybersecurity summit. The free, one-day event starts at 11 AM and will feature a number of experts from the information security space. I’m proud to represent the Raxis team as part of a panel discussion entitled, “Scary Security Stories” that will begin at 1 PM. 

    This is the time of year for tales that send chills up your spine and raise goosebumps on your skin. If you haven’t trained your employees properly and put effective cyber defenses in place, well . . . let’s just say you might be in for a quite a fright. 

    The good news is that Raxis stories usually have happy endings. We might steal some passwords and take over your domain, but 99% of the time, we leave your soul intact. And, we’ll show you how to avoid the real bad guys who will take that and more if they can.

    Please check out the link and sign up for this informative, educational event at Curriculaville. After all, hearing our scary stories might just keep you from living one of your own.