Tag Archive for: Advanced

Amazon GuardDuty Enhances Security Across Industries with Advanced Malware Protection

/in


Amazon’s GuardDuty, a comprehensive threat detection service, has significantly expanded its capabilities to offer advanced malware protection to its tens of thousands of users across various sectors worldwide. This addition is designed to strengthen defenses against a growing range of cybersecurity threats by integrating sophisticated file scanning for workloads on Amazon Elastic Block Store (Amazon EBS) volumes to identify malware presence. GuardDuty’s continuous evolution in its security approach highlights Amazon’s commitment to protecting its customers’ resources and data from unauthorized access and other cyber risks.

Robust Defense Mechanisms Against Cyber Threats

Amazon GuardDuty leverages machine learning (ML), anomaly detection, and integrated threat intelligence to identify and prioritize potential threats. This innovative approach enables GuardDuty to detect unusual or unauthorized activities, such as cryptocurrency mining, accessing Amazon Simple Storage Service (Amazon S3) data from suspicious locations, and unauthorized access to Amazon Elastic Kubernetes Service (Amazon EKS) clusters. By constantly updating its ML models and adding new anomaly detections, GuardDuty stays ahead of cybercriminals, ensuring robust security for its users.

GuardDuty Malware Protection: A Game-Changer for Cybersecurity

The introduction of GuardDuty Malware Protection marks a significant advancement in Amazon’s cybersecurity efforts. This feature extends GuardDuty’s capabilities to scan files on Amazon EBS volumes for malware, adding an extra layer of security for cloud workloads. It represents a proactive approach to cybersecurity, enabling real-time detection and response to potential threats. This development not only enhances the security posture of Amazon’s cloud environment but also offers peace of mind to the thousands of businesses relying on Amazon’s cloud services for their operations.

Implications for Businesses and Future Outlook

The continuous enhancement of Amazon GuardDuty, including the latest malware protection capabilities, underscores the importance of advanced cybersecurity measures in today’s digital…

Source…

Appdome unveils advanced Anti-Malware protections against Android accessibility service threats

/in


Appdome, a leader in mobile application security, has announced its new anti-malware protections designed to detect Android Accessibility Service Malware. The protection targets threats such as Xenomorph, Brasdex, Octo, Sharkbot, Flubot, TeaBot, PixPirate, Sova, Spynote, and Joker. These are malicious software used in large scale attacks on mobile banking apps, crypto wallets, and other financial services apps.

Despite being created as an Android framework to aid disabled users with their mobile applications, Android’s Accessibility Service has quickly turned into a playground for fraudsters. Abusive individuals carry out cyberattacks by deploying malware that connects through Accessibility Service into sensitive applications, like banking and mCommerce platforms.

Appdome’s CEO Tom Tovar, shed light on the severity of the issue, saying, “Once the Accessibility Malware is on a user’s device, it can listen, collect, intercept and manipulate Android Accessibility Service events to perform harmful actions without the user’s knowledge.” Fraudsters often mimic human actions within the mobile app, such as harvesting login credentials and completing transactions. Advanced variants like BrasDex and Xenomorph even employ Automated Transfer Systems (ATS) malware, capable of executing end-to-end transactions without a user’s active involvement.

The overall threat this malware poses led to the development of the new defense, explained Tovar. “This is a difficult problem to solve. To support the community, we created a defence that allows legitimate use of Accessibility Service, while at the same time prevents ATS malware from using Accessibility Service for nefarious purposes.”

Appdome’s new Prevent Accessibility Malware feature includes numerous protective measures. These involve multiple detection methods for ATS Malware, detection of potential methods used by ATS Malware in the context of Accessibility Service, and setting Trusted Accessibility Services. This way, brands can recommend trustworthy Accessibility Service applications to users. To further bolster these measures, Appdome also included an Accessibility Service Consent feature that allows users to approve…

Source…

Advanced Linux Malware Targeting South Korean Systems

/in


Aug 05, 2023THNLinux / Malware

Reptile Rootkit

Threat actors are using an open-source rootkit called Reptile to target Linux systems in South Korea.

“Unlike other rootkit malware that typically only provide concealment capabilities, Reptile goes a step further by offering a reverse shell, allowing threat actors to easily take control of systems,” the AhnLab Security Emergency Response Center (ASEC) said in a report published this week.

“Port knocking is a method where the malware opens a specific port on an infected system and goes on standby. When the threat actor sends a magic packet to the system, the received packet is used as a basis to establish a connection with the C&C server.”

A rootkit is a malicious software program that’s designed to provide privileged, root-level access to a machine while concealing its presence. At least four different campaigns have leveraged Reptile since 2022.

Cybersecurity

The first use of the rootkit was recorded by Trend Micro in May 2022 in connection with an intrusion set tracked as Earth Berberoka (aka GamblingPuppet), which has been found to use the malware to hide connections and processes related to a cross-platform Python trojan known as Pupy RAT in attacks aimed at gambling sites in China.

Then in March 2023, Google-owned Mandiant detailed a set of attacks mounted by a suspected China-linked threat actor dubbed UNC3886 that employed zero-day flaws in Fortinet appliances to deploy a number of custom implants as well as Reptile.

Reptile Rootkit

ExaTrack, that same month, revealed a Chinese hacking group’s use of a Linux malware called Mélofée that’s based on Reptile. Lastly, in June 2023, a cryptojacking operation discovered by Microsoft used a shell script backdoor to download Reptile in order to obscure its child processes, files, or their content.

A closer examination of Reptile reveals the use of a loader, which uses a tool called kmatryoshka to decrypt and load the rootkit’s kernel module into memory, after which it opens a specific port and awaits for the attacker to transmit a magic packet to the host over protocols such as TCP, UDP, or ICMP.

Cybersecurity

“The data received through the magic packet contains the C&C server address,” ASEC said. “Based on this, a reverse shell…

Source…

FBI was using advanced hacking software despite White House ban

/in


Since November of 2021, US-based companies have been barred from doing business with the NSO Group, an Israeli research firm behind some of the most advanced hacking tools the tech world has ever seen. Come to find out, a New York Times investigation from this past April revealed that a US government agency was actively using a powerful hacking tool from the NSO Group dubbed Landmark.

The White House subsequently launched an investigation and asked the FBI for assistance. Which agency, the White House wanted to know, was operating in defiance of the ban? And believe it or not, the investigation revealed that the agency using Pegasus was the FBI itself. Specifically, the FBI was using the software to track suspected drug cartel members in Mexico.

For what it’s worth, the FBI says the tool was provided to them by a contractor called Riva Networks. According to the FBI, the bureau wasn’t aware of the software’s origins.

The report reads in part:

The F.B.I. now says that it used the tool unwittingly and that Riva Networks misled the bureau. Once the agency discovered in late April that Riva had used the spying tool on its behalf, Christopher A. Wray, the F.B.I. director, terminated the contract, according to U.S. officials.

It is also unclear which, if any, government agencies besides the F.B.I. might have worked with Riva Networks to deploy the spying tool in Mexico. Two people with direct knowledge of the contract said cellphone numbers in Mexico were targeted throughout 2021, 2022 and into this year — far longer than the F.B.I. says the tool was used.

The reason why the NSO Group is precluded from doing business in the US is a long and interesting tale. Put simply, several stories over the past few years revealed that foreign governments with questionable human rights records were using NSO Group hacking tools to “maliciously target” journalists and dissidents. This ultimately prompted the White House to ban American companies from doing any type of…

Source…