Thursday, June 1, 2023
WMware

Going from E to X in Detection & Response

The first SOC I toured was that of a major US bank, circa 2000. That SOC, and the many others I’ve stepped foot in since relied heavily on a SIEM to play the twin roles of centralized data collection...
WMware

It’s Raining Implants: How to Generate C2 Framework Implants At Scale

Command-and-control (C2) frameworks serve as a means to remotely manage and access compromised devices. They allow for the creation of various payload types, called implants, that are dropped on victim machines by attackers, enabling them to retain access and...
WMware

VMware Response to CVE-2023-29552 – Reflective Denial-of-Service (DoS) Amplification Vulnerability in SLP

Greetings from the VMware Security Response Center! Today we wanted to address CVE-2023-29552 – a vulnerability in SLP that could allow for a reflective denial-of-service amplification attack that was disclosed on April 25th, 2023. VMware has investigated this vulnerability and determined...
WMware

Bring Your Own Backdoor: How Vulnerable Drivers Let Hackers In

Bring Your Own Vulnerable Driver (BYOVD) techniques are not new; they can be traced back at least as far as 2012 and the Shamoon wiper that targeted Saudi Aramco. The attack used RawDisk driver, which could manipulate hard drives...
WMware

XDR: Identity Matters – Who You Know is As Important as What You Know

Endpoint security is recognizably an essential part of modern cybersecurity, and endpoint security tools are in many cases a first and last line of defense. Endpoint security is focused on securing servers, workloads, end-user workstations, laptops, and any other...
WMware

Investigating 3CX Desktop Application Attacks: What You Need to Know

This is a developing situation and this blog post will be updated as needed.  Reports of malicious code associated with the 3CX desktop application – part of the 3CX VoIP (Voice over Internet Protocol) platform – began on March 22,...
WMware

Embedded vSphere Harbor default enablement results in an insecure configuration

This post is relevant to administrators that have enabled the embedded Harbor version in vSphere 7.0 or 8.0 as explained in Enable the Embedded Harbor Registry on the Supervisor Cluster. Harbor-helm issue Harbor when installed with harbor-helm will use a default...
WMware

How to Detect PoshC2 PowerShell Implants

PoshC2 is a proxy-aware cross-platform C2 framework that natively supports Docker.  Once configured and executed, it generates over 100 modifications of fresh implants, written in PowerShell, C#, and Python. The framework has a modular architecture to enable users to...
WMware

Unveiling the Evolution of Royal Ransomware

While the evolution of ransomware techniques is to be expected, the speed at which the Royal Ransomware Group has been able to adapt is impressive. Since it was first reported, those responsible for Royal ransomware have advanced quickly over...
WMware

VMware and Pwn2Own Vancouver 2023

Greetings from VMware Security Response Center!! We’re excited to announce that VMware will be returning to Pwn2Own 2023 hosted on March 22nd – 24th, in Vancouver, Canada. VMware will have the opportunity to attend in-person to validate any demonstrations of...
WMware

Why CISOs Should Prioritize Extended Detection & Response (XDR)

In my role as General Manager of the VMware Security Business Unit, I have the privilege of speaking regularly with many Chief Information Security Officers (CISOs) around the globe. While some face challenges unique to the specific organization over...
WMware

Security Designed for Cloud-Native Architecture

Security Designed for Cloud-Native Architecture  It is 2023 and organizations are continuing to migrate workloads to public clouds, modernize their applications and adopt cloud-native practices at a rapid pace. But all this movement means the attack surface is growing exponentially,...
WMware

The Art of Managing Threat Feeds

Threat Intelligence hugely revolves around the craft of handling multiple threat intelligence feeds. Whether they simply contain a stream of malicious indicators of previous attacks or, for example, a painstakingly assembled list of Cobalt Strike team servers found in...
WMware

Full NGAV, EDR, and Audit/Remediation for Air-Gapped Systems 

For many global organizations, workloads can be where the most critical business information resides. These teams need to enforce a strict security posture, ensuring their workloads are not directly exposed to the Internet for security, regulatory, and compliance reasons....
WMware

VMware Brings In-House Benchmarking Tool to Workloads

VMware Brings In-House Benchmarking Tool to Workloads  Benchmarks are a valuable resource that help security practitioners implement and manage their cybersecurity defenses and data. One such benchmarking tool is The Center for Internet Security (CIS). They’ve published CIS Benchmarks, the...
The Register

Ukraine war blurs lines between cyber-crims and state-sponsored attackers

This RomCom is no laughing matter A change in the deployment of the RomCom malware strain has illustrated the blurring distinction between cyberattacks motivated by money and those fueled by geopolitics, in this case Russia's illegal invasion of Ukraine,...
SC Magazine

We need to refine and secure AI, not turn our backs on the technology 

While the potential poisoning of ChatGPT raises some concerns, we need to take this threat as an opportunity to better refine and secure emerging AI models.
The Hacker News

Active Mirai Botnet Variant Exploiting Zyxel Devices for DDoS Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched critical security flaw in Zyxel gear to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. Tracked as CVE-2023-28771 (CVSS score: 9.8), the issue relates to a command injection flaw impacting...
The Hacker News

Urgent WordPress Update Fixes Critical Flaw in Jetpack Plugin on Million of Sites

WordPress has issued an automatic update to address a critical flaw in the Jetpack plugin that’s installed on over five million sites. The vulnerability, which was unearthed during an internal security audit, resides in an API present in the plugin since version 2.0,...
The Register

Dark Pink cyber-spies add info stealers to their arsenal, notch up more victims

Not to be confused with K-Pop sensation BLACKPINK, gang pops military, govt and education orgs Dark Pink, a suspected nation-state-sponsored cyber-espionage group, has expanded its list of targeted organizations, both geographically and by sector, and has carried out at...