company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

By Role

Government

CISO/CTO

DevSecOps

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Threat Feeds

Threat Research

White Paper

SB Blogs

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

Our Story

Our Team

Careers

Press & Media

Contact Us
loading..
loading..
loading..
Loading...

Cryptojacking

ECS

Monero

loading..
loading..
loading..

Alibaba CSP becomes a viable target for illicitly running Monero mining

Threat groups disable pre-installed security features in Alibaba CSP to illegally cryptomining Monero...

19-Nov-2021
3 min read

Related Articles

loading..

Authentication Bypass

Explore VMware's swift resolution of CVE-2023-34060. Learn about the workaround ...

A critical vulnerability surfaced in VMware's Cloud Director appliance deployments, disclosing a potential threat that lingered unpatched for over two weeks since its disclosure on November 14th. ## Vulnerability: A Critical Authentication Bypass (CVE-2023-34060) The identified flaw (CVE-2023-34060) exclusively affects appliances running VCD Appliance 10.5, specifically those upgraded from older releases. VMware assures users that it doesn't impact fresh VCD Appliance 10.5 installs, Linux deployments, and other appliances. Remote attackers can exploit this vulnerability through low-complexity attacks, requiring no user interaction. VMware [delineates](https://www.vmware.com/security/advisories/VMSA-2023-0026.html) the specifics, stating, _"On an upgraded version of VMware Cloud Director Appliance 10.5, a malicious actor with network access to the appliance can bypass login restrictions when authenticating on port 22 (ssh) or port 5480 (appliance management console)."_ ### Immediate Action: VMware Security Advisory VMSA-2023-0026 For administrators unable to promptly install the security patch, VMware offers a temporary workaround. VMware Security Advisory [VMSA-2023-0026](https://www.vmware.com/security/advisories/VMSA-2023-0026.html) guides customers on understanding the issue and outlines the upgrade path to rectify it. The workaround is tailored for affected versions of VCD Appliance 10.5.0. Admins need to download a [custom script](http://kb.vmware.com/s/article/95534) provided by VMware and executed on cells vulnerable to CVE-2023-34060 attacks. Importantly, this workaround ensures no functional disruptions, and downtime is a non-issue, requiring neither a service restart nor a reboot. ## Historical Context: VMware's Swift Responses to Cyber Threats This incident follows VMware's recent cybersecurity endeavors. In June, the company swiftly addressed an ESXi zero-day vulnerability (CVE-2023-20867) exploited by Chinese cyberspies for data theft. VMware's vigilance also led to the mitigation of an actively abused critical flaw in the Aria Operations for Networks analytics tool. Notably, in October, VMware resolved a critical vCenter Server flaw (CVE-2023-34048), closing the door on potential remote code execution attacks. These instances underscore VMware's commitment to maintaining the integrity and security of its platforms. ### Code Chronicles: An Exploration of Vulnerabilities Let's delve into the heart of the matter – the code. Understanding the intricacies of the vulnerability (CVE-2023-34060) requires a closer look at the affected scripts and code snippets. Below is a snippet illustrating the potential risk: ```python # Vulnerable code snippet def authenticate_user(port, actor): if port == 22 or port == 5480: if actor.has_network_access(): bypass_login_restrictions() ``` ***This simplified representation sheds light on how a threat actor with network access can exploit the vulnerability on specific ports.***

loading..   01-Dec-2023
loading..   3 min read
loading..

LockBit

Ransomware

Ransomware group LockBit claimed responsibility for a cyberattack targeting Indi...

In a bold move on Wednesday, the notorious ransomware group LockBit reportedly targeted India's National Aerospace Laboratories (NAL), revealing the vulnerability of critical entities to threats. This incident poses significant challenges to the nation's cybersecurity landscape, demanding a thorough examination of the breach and its implications. ## **LockBit Targeted NAL** LockBit, an infamous ransomware group, seized control of NAL's website, leaving a trail of chaos. The aerospace research giant, established in 1959, became the latest victim in a series of high-profile attacks orchestrated by [LockBit](https://www.secureblink.com/cyber-security-news/lock-bit-ransomware-new-encryptor-and-impact-on-the-derivatives-trading-market). The dark web leak site now hosts NAL's confidential documents, a tactic employed by ransomware groups to coerce organizations into paying undisclosed ransoms. Among the leaked data are confidential letters, an employee's passport, and internal documents, marking a brazen violation of NAL's digital perimeter. ### **NAL's Digital Presence Crumbles** At the time of this report, NAL's website experienced a global outage, raising suspicions of a ransomware-induced disruption. The extent of the attack remains uncertain, underscoring the urgency for swift and decisive action. NAL's silence echoes triggering queries to India's Computer Emergency Response Team (CERT-In) go unanswered. The ramifications of this breach extend beyond the compromised data, posing potential risks to national security and collaborative efforts with entities like the Indian Space Research Organisation and Defence Research and Development Organisation. ## **LockBit's Trail of Infamy** LockBit's exploits extend far beyond the boundaries of India. In recent months, this ransomware juggernaut has infiltrated the networks of global giants. An American multinational corporation that designs, manufactures, and sells aircraft [Boeing is being hacked](https://www.secureblink.com/cyber-security-news/boeing-hacked-lockbit-ransomware-threatens-to-leak-if-no-ransom-on-time) by LockBit. Taiwanese chipmaker [TSMC](https://www.secureblink.com/cyber-security-news/70-m-ransom-demand-by-lock-bit-ransomware-tsmc-confirms-data-breach), British stalwart Royal Mail, and Indian pharmaceutical titan [Granules India](https://www.secureblink.com/cyber-security-news/lock-bit-ransomware-attack-on-granules-india-extorting-91-millions) fell victim to LockBit's insidious tactics. Even the administrative fabric of Los Angeles and the fiscal nerve center of California faced LockBit's relentless onslaught in recent years. The breadth of LockBit's targets underscores the urgency for a collective cybersecurity response on a global scale. ### **A Closer Look: LockBit's Code Craftsmanship** Examining the modus operandi of LockBit unveils a sophisticated tapestry of code intricacies. The ransomware deploys advanced techniques, exploiting vulnerabilities in software architectures. A snippet of LockBit's code reveals the seamless integration of evasion tactics and encryption algorithms, demonstrating a level of expertise that demands heightened vigilance. #### ```python def encrypt_data(data, key): # Implementation of advanced encryption algorithm encrypted_data = advanced_encryption(data, key) return encrypted_data def exploit_vulnerabilities(target_system): # Sophisticated code to identify and exploit vulnerabilities vulnerability_code = identify_vulnerabilities(target_system) exploit(target_system, vulnerability_code) ``` *LockBit's code base reflects a relentless pursuit of exploiting weaknesses, underscoring the need for organizations to fortify their defenses with continuous monitoring and robust security measures.*

loading..   30-Nov-2023
loading..   3 min read
loading..

Data Theft

Cyberattack

IntelBroker sells GE's pipelines for $500 amid cyberattack probe. Uncover the th...

General Electric (GE), a stalwart in the American multinational scene, finds itself under scrutiny. A threat actor self-identified as IntelBroker, claims to have breached GE's development environment, an incident that has sparked concerns about the security of the company's data and systems. ## Alleged Breach Earlier this month, IntelBroker attempted to monetize their alleged access to GE's _"development and software pipelines"_ on a hacking forum, seeking $500 for the information. When met with a lack of serious buyers, the threat actor escalated their efforts, now offering both network access and supposedly stolen data. >>> "I am now selling the entire thing here separately, including access (SSH, SVN etc). Data includes much DARPA-related military information, files, SQL files, documents, etc.," IntelBroker declared on the forum. As evidence of the breach, screenshots were shared, purporting to be stolen GE data, notably including a database from GE Aviation with information on military projects. ## GE's Response In response to these claims, GE released a statement acknowledging the situation and asserting its commitment to investigating the alleged data leak. >>> _"We are aware of claims made by a bad actor regarding GE data and are investigating these claims. We will take appropriate measures to help protect the integrity of our systems,"_ stated a GE spokesperson to BleepingComputer. While the breach is yet to be confirmed, the involvement of IntelBroker raises eyebrows, given their track record of successful high-profile cyberattacks. ## IntelBroker's Notorious History IntelBroker has a history marked by successful cyber intrusions, including a breach of the [Weee! grocery service](https://www.secureblink.com/cyber-security-news/weee-grocery-confirms-data-breach-exposing-1-1-million-customer-records). However, their most notable exploit involved the theft of sensitive personal information from the District of Columbia's D.C. Health Link program. In March, IntelBroker breached DC Health Link, exposing a misconfigured server accessible online. The ensuing sale of a stolen database containing personal information triggered widespread media coverage and a congressional hearing to scrutinize the breach's origins. ## Technical Insights ### Code Exposure and Vulnerabilities The threat actor's ability to compromise GE's development environment implies potential vulnerabilities in their code repositories and version control systems. The mention of _"access (SSH, SVN, etc.)"_ raises concerns about the exposure of critical components in GE's infrastructure. ### DARPA-Related Military Information The alleged inclusion of DARPA-related military information in the stolen data underscores the severity of the breach. This not only poses a risk to GE but also raises questions about the broader implications for national security. ![forum-post(4).jpg](https://sb-cms.s3.ap-south-1.amazonaws.com/forum_post_4_becccfb2c0.jpg) ***Screenshot of GE data and access sold on a hacking forum (BleepingComputer)*** ## Investigating Past Exploits To understand the potential ramifications of the GE breach, delving into IntelBroker's past exploits is crucial. The breach of DC Health Link, a healthcare marketplace for Washington, D.C., highlighted the vulnerability of misconfigured servers. ### Congressional Scrutiny The congressional hearing that followed the DC Health Link breach aimed to unravel the intricacies of the incident. Mila Kofman, Executive Director of the District of Columbia Health Benefit Exchange Authority, emphasized the exposure through a [misconfigured server](https://oversight.house.gov/wp-content/uploads/2023/04/Mila-Kofman-Written-Testimony-April-19-2023.pdf), emphasizing the importance of robust server configurations.

loading..   29-Nov-2023
loading..   3 min read