Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Threat Intel. Show all posts

Introducing Dionaea with Darwis Threat Intel API Integration

Cyber Security and Privacy Foundation is pleased to inform that we have made opensource and made available our panel and code for integrating dionaea with our threat intel API.

This can be used as a honeypot to gain insight on attackers and attacker malware.

To get started you will require a linux machine with docker installed. Once done you can simply follow these steps.

More detailed instructions in: 

https://github.com/CSPF-Founder/dionaea-darwis


Clone this repoistory

git clone https://github.com/cspF-Founder/dionaea-darwis 

Setup commands:

 cd dionaea-darwis 

./install.sh

Once all three containers started, now go to browser and open

https://localhost:12443

It will take you to the setup page. Click "Setup" button, it will do base setup for the panel. If successful, then it will take to license activation page.

To get a license key you have to go to https://cysecurity.co/panel/keys/request and give your email. You will get an email with a link to follow. The page will contain the key that you should input into the panel above. (Please note that the key can only be viewed/activated once, so ensure that you keep a backup)


Once the license key has been given then you can setup a local user account and then login to the panel. In the panel you can click on "View logs" to get a granular view of the data.

It will allow you to see the files that are captured along with the time and the verdict and the malware name if applicable. You can also filter by time and date. This data can also be exported into multiple formats such as CSV, XLS.


U.S. Cyber Command Officially Links MuddyWater Gang to Iranian Intelligence

 

The US military's Cyber Command on Wednesday officially tied the Iranian-backed MuddyWatter hacking group to Iran's Ministry of Intelligence and Security (MOIS).

According to Cyber Command, the hacking group was first identified in 2017 and is a subordinate element within the Iranian Ministry of Intelligence and Security (MOIS), which is involved in both domestic surveillance operations and the targeting of a wide spectrum of entities in governments, academia, cryptocurrency, telecommunications, and oil sectors in the Middle East.

"MuddyWater is an Iranian threat group; previously, the industry has reported that MuddyWater has primarily targeted Middle Eastern nations, and has also targeted European and North American nations," Cyber Command said in a statement.

On Twitter, Cyber Command said the malicious group was employing a suite of malware for espionage and malicious activity. "MOIS hacker group MuddyWater is using open-source code for malware," it said. "MuddyWater and other Iranian MOIS APTs are using DNS tunneling to communicate to its C2 infrastructure; if you see this on your network, look for suspicious outbound traffic."

In partnership with the FBI, USCYBERCOM's Cyber National Mission Force (CNMF) has also shared multiple malware samples of PowGoop, a DLL loader designed to decrypt and run a PowerShell-based malware downloader. Five of the files that CYBERCOM has uploaded to VirusTotal this week aren’t identified as malicious by any of the antivirus engines in the scanning service, while six others have very low detection rates.

"If you see a combination of these tools, Iranian MOIS actor MuddyWater may be in your network. MuddyWater has been seen using a variety of techniques to maintain access to victim networks," the US military command added. "These include side-loading DLLs in order to trick legitimate programs into running malware and obfuscating PowerShell scripts to hide command and control functions."

Last year in November, cyber authorities across the US, UK, and Australia attributed attacks exploiting loopholes in Fortinet and Exchanges to Iranian-backed attackers. Rather than targeting a particular sector of the economy, the malicious actors were simply focused on exploiting the vulnerabilities wherever possible; following the operation, they then attempted to turn that initial access into data exfiltration, a ransomware attack, or extortion.