APT32 / OceanLotus on ASEAN Affairs

APT32 / OceanLotus on ASEAN Affairs

OceanLotus (aka APT32) is a very active hacking group. It operates especially in the area of south-east Asia and, according to the security community, it is close to the Vietnamese government. Over the time, many intrusion attempts and data breach have been attributed to it. As for the more purely technical aspects, the group seems very well supported and often adopts advanced tactics and techniques in order to lower the probability of detection. In my personal opinion, the members of this group … [Read more]

Shamoon / DiskTrack Malware IoC for recent Oil & Gas Energy sector attack

A variant of Shamoon malware crippled more than 300 company's computer of Saipem, the italian Oil & Gas services firm. Yesterday, a new variant of this malware has been upload on Virus Total platform from Italy (md5: b41f586fc9c95c66f0967f1592641a85 ). The sample seems to have not been compiled recently (2011-11-28 14:53:13). The malware variant under analysis presents the Arabic language ID support which is in line with previous Shamoon version. It has the capabilities to overwrite the MBR … [Read more]

APT28 / Fancy Bear still targeting military institutions

APT28 / Fancy Bear still targeting military institutions

APT28, aka Fancy Bear, the famous hacker group believed to be state-sponsored from Russia, seems to be targeting NATO partners / defense / military institutions / affairs in these hours. Spear-phishing emails with attached a malicious document referring to a "nato simulation" event (the name of the doc is "NATO Simulation.doc"), seem to be used to try to compromise some institutional entities (likely from east europe). The hunting group involved in the analysis of this event is composed by … [Read more]

Update: Hands in the MuddyWater – Playing with Iranian Cyber-Espionage Campaign

This is an update of previous post "Hands in the MuddyWater - Playing with Iranian Cyber-Espionage Campaign". Because someone asked me to show DNS hits statistics for all the compromized domain names serving this cyber-espionage campaign, following there are the missing two:Three days data 26-29 /10         Note that "hits" can be referred to, in this case, to normal web browsing also (legitimate … [Read more]

Exobot Source Code Available

Exobot Source Code Available

Exobot source code has been leaked and released in darkweb. The code proved to be version 2.5 of the Exobot banking trojan, also known as the "Trump Edition," one of Exobot's last version before its original author gave up on its development. To avoid proliferations of malware samples based on the source code here presented, security restrictions have been applied to download.(Please note that archive is encrypted !! Only accredited security vendors, vetted security researchers and law … [Read more]

Business Continuity and Disaster Recovery Plan

Business Continuity and Disaster Recovery Plan

This is a document written for an italian magazine by Emanuele De Lucia (Information Security n°27 @ Edisef Editore) and used for a training course headed by the author.In this paper are covered topics useful to ensure business continuity of our organizations. The common differences between a BCP and a DRP and others topics such as “centers of redundancy” and “high availability infrastructures” are also dealt.The article can be viewed on Information Security Magazine website:  … [Read more]

Conflitti Digitali: Classificazione e Retroscena

Conflitti Digitali: Classificazione e Retroscena

“Conflitti Digitali: Classificazione e Retroscena” is an article written for a seminar to which the author has participated as speaker. The text is very discursive and examines the evolution of a new way of thinking about the offense: the wars in the cyber space and their backstory. For now, the text is available in italian only... Download Now

OpenSSL TLS HeartBeat (HeartBleed) Vulnerability Subnet Scan

OpenSSL TLS HeartBeat (HeartBleed) Vulnerability Subnet Scan

This script allows to test a full /24 subnet for OpenSLL TLS HeartBeat (HeartBleed) Vulnerability. Originally coded by Jared Stafford ([email protected]) to test this weakness on a single host at a time, it has been modified by Emanuele De Lucia to allow the scan of an entire subnet. This modification has been made for work reasons within few hours by the notice of the vulnerability, in order to readily identify the affected services within a very wide range of systems exposed. May be … [Read more]

IPv6 Security Overview

IPv6 Security Overview

The paper considers the new Internet Protocol (IPv6 or IPng) that is about to replace the old IPv4. The arguments come from reading some texts about it, with a point of view to security that is expected. It also quickly shows the possible evolution of today's most common cyber attacks, as well as some technical details about the suite of IPSec protocols, because its security model will be required to be supported by all IPv6 implementations. It's possible to read this document on GoGo6.com … [Read more]

(D)DOS: Practical Approach – Hakin9.org – IT Security Magazine

(D)DOS: Practical Approach - Hakin9.org - IT Security Magazine

Hakin9 IT Security Magazine published an article of mine about a practical approach to (D)DoS attacks. In this paper are showed several offensive practices on how to conduct a DDoS attack, with a strong hand on techniques, tools and code chunks. There are also present screenshots and link references to the authors of the various exploits used (when used), as well as even a simple client-server C SYN Flood program created by me in order to better explain how botnets work... Look it on Hakin9 … [Read more]