US Navy Destroyer Shoots Down Drone, Ensuring Ship's Safety in Red Sea #airdrone #alliednations #Counterterrorism #crew #emergingthreats #globalsecurityenvironment. #increaseduseofdrones #internationalwaters #maritimesecurity #militaryforce #navalpower #navalvessels #personnel #potentialattacks #readiness #redsea #routinepatrolmission #safety #Security #shipbasedcombatsystem #ships #shootingdownofthedrone #stability #tensions #Threat #usnavy #USNavydestroyer #USSMason #USSNimitzcarrierstrikegroup #vigilance

https://bit.ly/47Rda8S - 🔍 Red Canary's 'Intelligence Insights' for November 2023 highlights key cybersecurity threats. The report tracks the prevalence of various cyber threats in customer environments, comparing data to previous months for trend analysis. #CyberThreatIntelligence #RedCanaryInsights 📈 Several threats trended up, while others remained stable or decreased in ranking. Notable threats include Yellow Cockatoo, Impacket, Mimikatz, Gamarue, and Raspberry Robin. LummaC2 and FakeBat made significant strides, entering the top 10 for the first time. #CyberSecurityTrends #EmergingThreats 💻 LummaC2 and FakeBat are two new threats gaining traction. LummaC2, an information stealer sold on underground forums, and FakeBat, a malware-as-a-service loader, are being increasingly adopted by adversaries. Their versatility in delivery and payload deployment makes them particularly concerning. #LummaC2 #FakeBat 🏦 Qbot, a banking trojan, reappears in the rankings. Despite its takedown in August 2023, Qbot's persistence mechanisms continue to operate in some systems. This underscores the importance of thorough remediation to prevent lingering code from being exploited by new adversaries. #Qbot #CyberHygiene 🔐 Red Canary highlights a detection opportunity for persistent threats like Qbot. Monitoring for regsvr32.exe silently executing code in the AppData\Roaming directory can help identify persistent malicious DLLs. This technique provides valuable insights into ongoing system vulnerabilities.

Crypto Crime: An In-Depth Look at $30 Billion in Losses from 2012-2022

Cryptocurrency has been a topic of debate in the financial world since the launch of Bitcoin in 2009. While it has the potential to revolutionize the financial industry, it has also given rise to various types of cybercrime. Cryptocurrency-related crimes have been increasing in frequency and sophistication, leading to significant financial losses for individuals and businesses worldwide. This report aims to provide an overview of cryptocurrency-related crime from 2012-2022, covering money lost, types of crime, targeted countries, and future trends. Money Lost: In 2022, crypto crime hit an all-time high of $12 billion stolen in 436 incidents. This is equivalent to $1.4 million lost every hour last year due to crypto-related crime. All crypto stolen in the last decade was $30,019,892,161. That's 30 times the UN's earthquake appeal for Turkey, 20 times the cost of building the World's Tallest Building, and 18 times Google's Youtube acquisition. The top three types of crypto crimes are theft, fraud, and hacking. Targeted Countries: The US has been the most targeted by cryptocurrency hackers, followed by Japan, South Korea, and China. However, Turkey lost the most dollars to crypto crime due to large-scale Ponzi schemes and exit scams, which accounted for the majority of losses. Other countries that have been targeted include Russia, Ukraine, India, and the United Kingdom. Dangerous Months: June is the most dangerous month for crypto investing, with 77 crypto crime incidents and $5.7 billion stolen in the last ten years. This can be attributed to the influx of new investors and the high volatility of the crypto market during this time. Future Trends: 2023 has the potential to reach a new all-time high, with more than $16 billion lost due to crypto crime. By 2025, this figure could reach nearly $20 billion. One emerging trend is the use of decentralized finance (DeFi) platforms, which are becoming increasingly popular among cryptocurrency users. DeFi platforms allow users to lend and borrow cryptocurrency without the need for a centralized intermediary. However, they are also vulnerable to various types of attacks, including smart contract exploits and rug pulls. As DeFi continues to grow in popularity, it is likely to become a major target for cybercriminals. Cryptocurrency-related crime has been a major issue in the financial industry since the launch of Bitcoin in 2009. The total amount lost due to cryptocurrency-related crime from 2012-2022 is estimated to be over $30 billion, with theft, fraud, and hacking being the most common types of crime. The US has been the most targeted by cryptocurrency hackers, but Turkey lost the most dollars to crypto crime. As cryptocurrency adoption continues to grow, it is likely that cryptocurrency-related crime will also increase in frequency and sophistication. It is crucial for individuals and businesses to take steps to protect their cryptocurrency holdings from cybercriminals. P.S. If you like this article, please click “like” or provide comment, as that will motivate me to publish more. Share and inspire. Thank you.  Read the full article

"Adapting the 18th FISC: Army 2030's Challenges & Restructuring"

1st Theater Sustainment Command | Story by Brian Sipp | Monday, October 16, 2023

https://defenseflashnews.com/marines/f/adapting-the-18th-fisc-army-2030s-challenges-restructuring#Army2030 #Restructuring #18thFISC #AdaptingChallenges #MilitaryReform #FutureArmy #Modernization #Defense #NationalSecurity #TroopTransformation #StrategicPlanning #DefensePolicy #MilitaryTechnology #MilitaryStrategy #ForceReadiness #EmergingThreats #MilitaryBudget #Cybersecurity #Counterterrorism #GlobalSecurity

WordPress Security: Nulled Scripts and the CryptoPHP Infection

New Post has been published on https://recyclingmedia.com/wordpress-security-nulled-scripts-and-the-cryptophp-infection/

WordPress Security: Nulled Scripts and the CryptoPHP Infection

WordPress Security: Nulled Scripts and the CryptoPHP Infection

Our friends over at Fox-IT based in Delft in the Netherlands just contacted me with some amazing research they’ve just published. If you’re technically minded and want as much detail as possible, For WordPress Security I recommend you skip this blog entry and head straight over to the Whitepaper that Fox-IT has published on the CryptoPHP backdoor (It’s 50 pages). I’ve summarized the details and our response:

Nulled scripts are commercial web applications that you can obtain from pirate websites that have been modified to work without a license key. They are the web equivalent of pirated software. They include commercial WordPress themes and plugins.

It’s come to our attention courtesy of Fox-IT that nulled scripts are being distributed via several websites with a sophisticated infection pre-installed. Fox-IT has dubbed it CryptoPHP because of the fact that it encrypts data before it sends it to command and control servers.

The infection is relatively simple: Inside a nulled script there’s a little line of code that looks like this:

<?php include('assets/images/social.png'); ?>

If you’re a PHP developer you will immediately recognize this as looking strange: It is a PHP directive to include an external file containing PHP source code, but the file is actually an image. Inside this image file is actual PHP and the code is obfuscated (hidden through scrambling) to try and hide the fact that it’s malicious.

If you’re a Wordfence customer, and you are doing scans, the default settings for Wordfence do not scan image files for infections. However, we are aware of these kinds of infections so a while back we added an option to scan image files as if they are PHP code. However, with the detection we just added, Wordfence will detect the ‘include’ directive above in your PHP source, so even if you haven’t enabled image-file scanning, you will still catch all known variants of this infection provided you are running the newest version of Wordfence.

Fox-IT has determined that the purpose of the malware is, currently, to engage in black-hat SEO by injecting links to other, presumably malicious, websites into your content. However, this infection is sophisticated and it communicates with command and control servers that can instruct it to do a variety of tasks including the ability to upgrade itself. So this is a classic botnet infection which turns all infected websites into drones that can be instructed to do just about anything, from sending spam email to SEO spam to hosting illegal content to performing attacks on other websites.

The researchers think they may have identified the location of the author. Inside the code of the malware is a user-agent (browser) check that checks to see if the web browser user-agent equals ‘chishijen12’. If it does, then the application is instructed to output all PHP errors to the browser, presumably for debugging purposes. Fox-IT found an IP address that is associated with that user-agent and the IP is based in the state of Chisinau in Moldova. The name of the state is similar to the user-agent string, which gives their theory some WordPress Security credence.

This infection doesn’t just affect WordPress but affects Drupal and Joomla too. The detection we’ve added will actually detect the infection in Drupal or Joomla source code too if that lives under your WordPress directory.

If you’re an enterprise customer and are using an IDS like Snort or the EmergingThreats ruleset, Fox-IT has created Snort signatures which are in the WordPress Security whitepaper and I see that EmergingThreats have updated their open ruleset today to detect this.

You can find the full white paper discussing this new threat here in WordPress Security and it includes quite a bit of technical detail if you’re a developer or information security researcher.

Please help spread the word about the danger involved in downloading or distributing nulled scripts and help keep the community safe.

OpenBSD üzerinde Suricata kurulumu ve Network Monitoring

Suricata kendi deyimleriyle açık kaynak bir “network threat detection engine” dir. Bu engine network trafiğini bazı kurallar ve imzalar kullanarak inspect(teftiş, denetlemek) eder ve izlememize yardımcı olur. Network monitoring ve threat detection gibi kavramlarla ilgilenler için açık kaynak dünyasında harika bir araçtır.

Bu yazımda kaynak olarak bir kaç önemli yer kullanacağım, bunlardan birisi Suricata’nın kendi dökümanları olan http://suricata.readthedocs.io/en/latest/ adresi ve Open Security foundation’ın wiki sayfası (https://redmine.openinfosecfoundation.org/projects/suricata/wiki) olacak.

Suricata’yı GNU/Linux üzerinde “pf_ring” (http://www.ntop.org/products/packet-capture/pf_ring/) veya af_packet ile birlikte oldukça performanslı bir şekilde Emerging Threats kurallarını kullanarak (yaklaşık 30bin kural) (https://rules.emergingthreats.net/) IDS(Intrusion Detection System) olarak kullanabilirsiniz. Gnu/Linux üzerinde kurulum için wiki sayfasında adım adım anlatımlar mevcut, ayrıca Kernel packet capturing hakkında şurada detaylı bir dökümantasyon mevcut. (https://home.regit.org/wp-content/uploads/2015/10/2015_kernel_recipes_capture.pdf)

Ben bu yazımda, bir adet default olarak kurulum yaptığım OpenBSD6.0’ı tercih edeceğim. OpenBSD’in tamamen güvenlik odaklı bir işletim sistemi olması ve kernel’ı pf(packet filter)’i hali hazırda içerisinde bulundurmasıyla bunu bir avantaj olarak görüyorum.

Adım 1: Suricata için gereksinimlerin kurulması

pkg_add gcc git libtool pcre jansson libmagic libyaml

pkg_add libnet-1.1.2.1p3v0 autoconf-2.69p2 automake-1.14.1p0

git clone --depth 1 git://phalanx.openinfosecfoundation.org/oisf.git cd oisf git clone --depth 1 https://github.com/OISF/libhtp.git -b 0.5.x

Adım 2 : Suricata kurulumu

export AUTOCONF_VERSION=2.69

export AUTOMAKE_VERSION=1.14

./autogen.sh

Autogen.sh tamamlandığında aşağıdakine benzer bir çıktı almanız gerekiyor, burada eğer hata alıyorsanız bu hataların, autoconf ve automake paketlerinin versiyon farklılıklarıdan olacağını bilmenizi isterim.(daha önce başıma geldi)

CPPFLAGS="-I/usr/local/include" CFLAGS="-L/usr/local/lib" ./configure --prefix=/usr/local --sysconfdir=/etc/ --localstatedir=/var/ make make install install-conf install-rules

Ufak bir süre bekleyerek, Suricata’yı kaynak kodudan derleyerek kurulum işlemimizi bitirmiş oluyoruz. 

suricata -V ile kontrol ediyoruz. This is Suricata version 4.0dev (rev 6585ac4)

Adım 3: Suricata’yı çalıştırmak ve Test Alarmı oluşturmak

Depodan çektiğimiz suricata versiyonu, 4.0 development sürümü. Şuanda stabil versiyon 3.2 aynı şekilde o versiyonu da build edebilirsiniz.

Kurulumu tamamladıktan sonra yapılacak ilk iş suricata.yml konfigurasyon dosyasını düzenlemek. Suricata’nın kurulumu kolaydır fakat tuning işlemi kurulacak topolojiye göre, üzerinde çalıştığı sunucunun performansına ve network’e göre düzenlenmesi gerekir.

EmergingThreats kurallarını “install-rules” yazarak kurmuş olduk. Konfigurasyon dosyası /etc/suricata/suricata.yml dizininde bulunuyor. Default olarak tanımlı bir konfigurasyon var. Şimdi en temel değişiklik, suricata’yı kullandığımız network interface’i belirlemek. Ben bir adet management interface’ine sahibim. Dinlemek istediğiniz interface’i Promisc moda alıp, suricata’nın sniff etmesini sağlayabilirsiniz.

/usr/local/bin/suricata -c /etc/suricata//suricata.yaml -i em0

em0 = management interface

all 3 packet processing threads, 4 management threads initialized, engine started.

‘Engine started’ yazısını gördüğümüz an itibariyle suricata çalışıyor demektir. Suricata’nın tüm logları /var/log/suricata altındadır, bunu isterseniz konfigurasyon dosyasından düzenleyebilirsiniz.

Şimdi 1 adet test kuralı girip, alarm üretiliyor mu test edelim. Suricata’ya kural yazmak gerçekten oldukça eğlenceli bir iştir. Anlaması kolay basit bir pattern’i vardır. Örneğin;

ICMP paketleri için 1 adet kural yazalım.

alert ip any any -> any any ( msg: "ICMP packet detected!"; sid: 1; )

Bu kuralı /etc/suricata/rules/local.rules dosyasına ekledim ve suricata.yml rules kısmında şu şekilde ekledim ve kaydettim;

Daha sonra suricata’yı tekrar başlatıyorum ve bir ICMP paketleri gönderiyorum.

ping 8.8.8.8

Şimdi, suricata’nın eve.json loguna tail -f ile baktığımda yazdığım kuralın tetiklenmiş olduğunu görüyorum.

tail -f /var/log/suricata/eve.json

Şimdilik suricata’yı çalıştırmış olalım ve bir adet kuralımızı tetiklemiş bulunalım. Tuning işlemini bir başka yazıyla daha detaylı bir şekilde anlatmak istiyorum. Oldukça detaylı ve sistem düzeyinde bilgi gerektiren bir konu. Benim de bu konu hakkında öğrenmem gereken tonlarca konu var:) 

Bu konuda yine en faydalı yer benim için Suricata’nın kendi dökümanları. Bakmak isteyenler için; https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_User_Guide

Suricata’nın en sevdiğim yönü ise log outputları, json olarak aldığımız eve.json dosyasını Elasticsearch, Logstash ve Kibana ile birleştirip daha sonra bu logları daha iyi analiz edebiliyoruz...

BSD ailesiyle yeni tanışıyor olmamdan ötürü yazıda yanlışlarım olabilir, eğer herhangi bir konuda düzeltme yapmak isterseniz lütfen bir mail atarak bildirin... 

Kullandığım kaynakları yazının içerisinde link olarak belirttim, son olarak kurulum için şuradaki script tercihten faydalandığımı belirtir, siz de kolayca kurulum yapabilirsiniz.

- https://gist.github.com/gretel/d8d19be5e0d9c2996355

Okuduğunuz için teşekkürler....

US Military Boosts High-Tech Defense to Counter China's Growing Threat #advancedtechnologies #artificialintelligence #competitiveedge #cybercapabilities #emergingthreats #globalsecuritylandscape #hypersonicweapons #increasedspending #militaryexpansion #Pacificregion #Pentagon #researchanddevelopment #SouthChinaSeatensions #USmilitaryfocusonChina #USChinarelations #weaponsystems

US Navy Destroyer Shoots Down Drone, Ensuring Ship's Safety in Red Sea #airdrone #alliednations #Counterterrorism #crew #emergingthreats #globalsecurityenvironment. #increaseduseofdrones #internationalwaters #maritimesecurity #militaryforce #navalpower #navalvessels #personnel #potentialattacks #readiness #redsea #routinepatrolmission #safety #Security #shipbasedcombatsystem #ships #shootingdownofthedrone #stability #tensions #Threat #usnavy #USNavydestroyer #USSMason #USSNimitzcarrierstrikegroup #vigilance