At BlackHat Europe Arenal 2020, I released the Strafer tool to detect potential ransomware/bot infections in the Elasticsearch instances deployed in the cloud environments.

Elasticsearch Threat Landscape

In security, we always say and strictly believe “Basics are the Hardest Part to Conquer”. That’s the true fact.

With recent challenges, the usage of video-conferencing technologies has increased exponentially. Zoom is being discussed a lot of these for the same.

With the advancements of new technologies and increasing usage, it becomes essential to analyze the security posture for the service providers including infrastructure and applications.

This post is all about making the most important point — “Basics Should be Implemented Efficiently and Securely”. The developer should learn about this and implement. It’s not about coding always but “Secure Coding”…

Sparty was designed to conduct efficient security assessment of MS Sharepoint deployments. The tool has been used by security community which shows the acceptability and and highlighting that the tool is useful.

Sparty was presented at BlackHat 2013 and the presentation is available at: https://media.blackhat.com/us-13/Arsenal/us-13-Sood-Sparty-Slides.pdf

Report by Aditya K Sood and RB.

Note: We would like to thank MalwareMustDie for providing additional inputs regarding reverse engineering of binaries.

Media Coverage

New Gucci Botnet Capable of Launching Multiple Types of DDoS Attacks — https://securityintelligence.com/news/new-gucci-botnet-capable-of-launching-multiple-types-of-ddos-attacks/

New ‘Gucci’ IoT Botnet Targets Europe — https://www.securityweek.com/new-gucci-iot-botnet-targets-europe

Security Labs discovered a new IOT bot named “GUCCI”. It seems like the IOT botnet is named after an Italian luxury brand of fashion and leather goods.
https://securityaffairs.co/wordpress/91942/malware/gucci-iot-bot.html

Waspada, Varian Botnet Gucci Targetkan Perangkat IoT — https://cyberthreat.id/read/3132/Waspada-Varian-Botnet-Gucci-Targetkan-Perangkat-IoT

Analysis

SecNiche Security Labs discovered a new IOT bot named “GUCCI”. It seems like the IOT botnet…

Cybercriminals deploy crimeware for conducting nefarious operations on the Internet. Crimeware is managed on a large scale through deployment of centralized portals known as Command and Control (C&C) panels. C&C panels are considered as attackers’ primary operating environment through which crimewave is controlled and updated at regular intervals of time. C&C panels also store information stolen from the compromised machines as a part of the data exfiltration activity. This empirical study highlights the analysis of thousands of real world C&C web Uniform Resource Locators (URLs) used for deployment of Crimeware such as botnets, key-loggers, ransomware, Point-of-Sales (PoS) malware, etc., to unearth the characteristics of HTTP-based C&C panels. This study gives a statistical view on design and technologies opted by the crimeware authors to deploy HTTP-based C&C panels.

Link : https://bsidessf2018.sched.com/speaker/aditya_k_sood.6kvngm0

Overview

During the conversation with the administrators about exposed AWS S3 buckets or traditional Directory Listing, the feedback often received is: “since the listed objects or files do not contain any sensitive information, the configuration of the buckets (or directories) is fine even if they are exposed.” This can be argued on multiple fronts. Consider the following points:

1. Any information disclosure via Directory Listing or AWS S3 Bucket Exposure could be used in different set of attacks.
2. From configuration standpoint, the enterprises or organizations do not need an explicit listing of objects or resources. A direct link to the file…

Online advertisements provide a convenient platform for spreading malware. Since ads provide a significant portion of revenue on the web, significant effort is put into attracting users to them. Malicious agents take advantage of this skillful attraction and then redirect users to malicious sites that serve malware

Recently, malvertising (malicious advertising on the Internet) attack mechanism has been opted by the attackers to infect Equifax (https://www.forbes.com/sites/leemathews/2017/10/12/equifax-website-caught-serving-malicious-ads-to-visitors/#5dad5d2f19f8 ) and Transunion (https://arstechnica.com/information-technology/2017/10/equifax-rival-transunion-also-sends-site-visitors-to-malicious-pages/ )credit bureau websites.

In malvertisements, the malicious code is injected in the third-party libraries hosted on the Content Delivery Networks (CDNs) or any other third-party domain. A Content Delivery Network…

Exposed QA Systems, Insecure API Design and Weak Security Controls: Perfect Recipe to Trigger Security Breach !

Disclaimer: The information presented in this blog post is for educational purposes only. The research is an outcome of independent efforts that are dedicated towards in making Internet a safer place.

Authors: Aditya K Sood and Rehan Jalil

As part of our in-house cloud security research activities, we continuously look for new threats posed by cloud apps and cloud infrastructure. …